Skip to content

Commit

Permalink
martijnvanbrummelen#590: Documentation: Update Readme.md with informa…
Browse files Browse the repository at this point in the history
…tion regarding ssd media (martijnvanbrummelen#597)

* martijnvanbrummelen#587 Introduction to SSD wipe

Added information to readme.md regarding the lack of clarity about SSD wiping.

* martijnvanbrummelen#587

* Added guide for SSD

* Update README.md

Extended the disclaimer regarding SSD Wipe and fixed two typos

* ssd-guide compatibility note update

Added information regarding Samsung SATA SSD compatibility to sanitize command

* Added Solidigm compatibility for sata sanitize

* formatting (no content change)

* Added .DS_Store to gitignore

Added .DS_Store due for development on mac clients.

* Update ssd-guide.md

Added clarity regarding risks of incomplete sanitization of disks due to intransparency of vendor tools.
  • Loading branch information
fthobe authored Sep 6, 2024
1 parent 2e6ce16 commit 4278f69
Show file tree
Hide file tree
Showing 3 changed files with 64 additions and 0 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,4 @@ src/Makefile
src/Makefile.in
src/nwipe
stamp-h1
.DS_Store
12 changes: 12 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,18 @@ nwipe can be found in many [Linux distro repositories](#which-linux-distro-uses-

nwipe is also included in [ShredOS](https://github.com/PartialVolume/shredos.x86_64) which was developed in particular to showcase nwipe as a fast-to-boot standalone method similar to DBAN. ShredOS always contains the latest nwipe version.

## Limitations regarding solid state drives
In the current form nwipe does not sanitize solid state drives (hereinafter referred to as SSDs)
of any form (SAS / Sata / NVME) and / or form factor (2.5" / 3.5" / PCI) fully due to their nature:
SSDs, as the transistors contained in the memory modules are subject to wear, contain in most cases
additional memory modules installed as failover for broken sectors outside
of the host accessible space (frequently referred to as "overprovisioning") and for garbage collection.
Some manufacturers reserve access to these areas only to disk's own controller and firmware.
It is therefor always advised to use nwipe / shredOS in conjunction with the manufacturer's or hardware vendor's own tools for sanitization to assure
full destruction of the information contained on the disk.
Given that most vendors and manufacturers do not provide open source tools, it is advised to validate the outcome by comparing the data on the disk before and after sanitization.
A list of the most common tools and instructions for SSD wipes can be found in the [SSD Guide](ssd-guide.md).

## Compiling & Installing

For a development setup, see the [Hacking section](#hacking) below. For a bootable version of the very latest nwipe master that you can write to an USB flash drive or CD/DVD, see the [Quick and easy bootable version of nwipe master section](#quick--easy-usb-bootable-version-of-nwipe-master-for-x86_64-systems) below.
Expand Down
51 changes: 51 additions & 0 deletions ssd-guide.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# Guide for the cancellation of solid state media (Sata / SAS / NVME)

# Index
1. Disclaimer & Warning
2. Current Standard Commands for Sanitization
3. Manufacturer and Vendor Support for Sanitization
4. Advised Procedure for Sanitization of SSD-Drives

# Disclaimer & Warning
The following information is given without any warranty and indicates best practices as of the writing of this content.
All information should be validated for the precise manufacturer / vendor SKU you want to sanitize.
Any sanitization process should be validated by comparing the information contained on the disk before and after sanitization assuring that the previously stored data has been destroyed.
Given that most of the manufacturer tools (excluding nvme-cli as it was open sourced from the beginning) available today are closed source, it is not possible to determine with security if the respective tool does or does not effectively verify the outcome of a sanitization.
To assure a successful sanitization it is highly recommended to compare the data contained on the disk before and after sanitization and use the manufacturer tool together with tools such as nwipe.

# Current Standard Commands for Sanitization & Support by Manufacturers and Vendors

## Current Standards
All major block device interface standards contain optional block commands for sanitization.
Below are the standards listed for reference:
* [SATA ATA/ATAPI Sanitization Command according to ACS-3 Standard](https://people.freebsd.org/~imp/asiabsdcon2015/works/d2161r5-ATAATAPI_Command_Set_-_3.pdf);
* [SAS Sanitization Command according to SBC-4 Standard](https://www.t10.org/members/w_sbc4.htm);
* [NVME Sanitization Command according to NVME Command Set Specification](https://nvmexpress.org/wp-content/uploads/NVM-Express-NVM-Command-Set-Specification-Revision-1.1-2024.08.05-Ratified.pdf).

## Manufacturer and Vendor Support for Sanitization
Given that the support for sanitization is optional and not a mandatory aspect of the respective standards the support accross vendors can vary largely.
The following table does not claim or warrant to be complete, it is highly advised to always validate the information with the manufacturer:

| Manufacturer | Manufacturer Tool (MFT) | SATA | SAS | NVME |
|----------------- |------------------------------------------------------ |----------------- |------------------- |---------- |
| Samsung | Samsung DC Toolkit 3.0 | Use MFT* | Use MFT | Use MFT |
| Intel / Solidigm | Solidigm™ Storage Tool | Use MFT*\* | Use MFT | Use MFT |
| Western Digital | supports SAS / SCSI format unit command | hdparm sanitize | sg_utils sanitize | nvme-cli sanitize |
| Sandisk | supports SAS / SATA / SCSI format unit command | hdparm sanitize | sg_utils sanitize | nvme-cli sanitize |
| Seagate | Open Seachest | Use MFT | Use MFT | Use MFT |
| SK Hynix | Unconfirmed for Linux | N/A | N/A | N/A |
| Kioxia | Unconfirmed for Linux | N/A | N/A | N/A |
| Micron | Unconfirmed for Linux | N/A | N/A | N/A |
| Kingston | Unconfirmed for Linux | N/A | N/A | N/A |
| Others | Unconfirmed for Linux | N/A | N/A | N/A |

\* [DC Toolkit 3.0 contains hdparm, but Interface Standard Compliance is unconfirmed](https://download.semiconductor.samsung.com/resources/user-manual/Samsung_DCToolkit_V3.0_User_Guide.pdf)

\*\* [Generally Supported, but individual models might offer different levels of support](https://community.solidigm.com/t5/solid-state-drives-nand/support-for-sata-sanitize-command/td-p/24452)

## Advised Procedure for Sanitization of SSD Drives

1. Complete an intial sanitization using the manufacturer tools or if supported by the manufacturer use hdparm, sg_utils or nvme;
2. Follow up with SHREDOS/Nwipe with a single PRNG stream with verification (PRNG data is extremely hard if not impossible to compress and therefor has to be written out by the firmware);
3. Complete an additional sanitization using the manufacturer tools or if supported by the manufacturer use hdparm, sg_utils or nvme;
4. Validate that the data has been overwritten.

0 comments on commit 4278f69

Please sign in to comment.