OK there are 2 completely opposite thoughts on shredding SSDs

1. All SSDs have a trim functionality so any unused data gets set to 0 automatically by the os or in some cases by ssd controller

2. Even if trim sets it to zero there is always some deviation from the original zero and a very very sophisticated attacker can find the actual data. And simply using shred or /dev/zero doesn’t help because SSD controller always writes to different physical location even for same file. And the only real way to ensure data can’t be recovered is to smash it

Pick and choose depending on your threat model. If you’re just selling it to someone or you know that no nation state actors are after your data then just do normal delete and then do the trim. If you think someone with capabilities is after your data and that they are willing to spend few hundred thousand dollars or even few million for whatever data is in your SSD then just microwave it and then smash with hammer. No need to shred or zero.

So much bad advice in here relating to NVME’s.

Any NVME worth it’s salt these days is an OPAL adhering self encrypting capable drive for data storage.

This means in Linux you simply install nvme-cli, then do a mode 2 crypto erase and the crypto key is dropped and all data on the drive becomes unreadable.

Y’all could stand to get with the times a bit more and learn about what NVME’s actually bring to the table

https://tinyapps.org/docs/nvme-secure-erase.html

For drives with it disabled, mode 1 wipe will have the controller fill all regions with meaningless data to wipe it.

If you ever need a reeally stupid way to sanitize deleted data without special privileges, just fill the disk up with some files then delete them. On Linux this is easy with cat and /dev/zero or urandom. Can’t be sure it gets everything but it’s better than doing nothing.

Thankfully it is largely just a few commands with built in tools to tell the drive firmware to secure erase

SATA SSD: https://acceptdefaults.com/2023/01/06/secure-erase-an-ssd/

NVME SSD: https://acceptdefaults.com/2022/08/11/secure-erase-an-nvme-drive/

for future reference, encrypt your drives from the get-go. even if it’s not a mobile device, you can use on-device keys to unlock it without a pass-phrase.

source: used shred on a couple of 3.5" 4 TB drives before selling them, took ages…

Everyone has given Linux answers, its also worth knowing quite a lot of UEFI’s contain the ability to secure erase as well. There are a number of USB bootable disk management tools that can do secure erase as well.

Don’t ever write any really private data to the SSD in cleartext. Use an encrypted file system. “Erase” by throwing away the key. That said, for modern fast SSD’s the performance overhead of the encryption might be a problem. For the old SATA SSD in my laptop, I don’t notice it.

i was just in the same situation and stumbled upon an issue, but more on that later.

nvme cli might be what you are looking for, the arch wiki has got a good tutorial https://wiki.archlinux.org/title/Solid_state_drive/NVMe

but: it depends on how you connect the nvme ssd to your system. if you use an external enclosure/adapter the nvme would show up as /dev/sda because it is not attached to the proper interface. i did not manage to get nvme cli to work in that case.

but, and that is the much easier way to solve that issue: the bios is your friend. most modern bios provide a secure erase nvme option. so just stick the nvme ssd in your computer and try to do it that way. only took a couple of seconds due to the way it works on nvme ssds as far as i understand.

that said: i’ve got two older WD nvme ssds that i could’t format using four (!) different PC’s and their bioses, non of the manufactures software for windows or bootable usb sticks would work either (tried the latter on three different PC’s) and the external enclosure solution provided no help either. only the bios of an older asrock board easily accepted the nvme and managed to secure erase it. no clue what went wrong the first times but at least they are clean now.

I use nwipe at work: https://github.com/martijnvanbrummelen/nwipe. I have no idea if it’s better or worse than the methods already being discussed here, but its been my preference for years.

Simple solution is to use cryptsetup to encrypt it, forget the key, and optionally overwrite the first megabyte or so of the disk (where the LUKS header is).

Just use blkdiscard.

Use secure erase function which is built into the SATA and other specs, it applies a voltage spike to clear the cells of all held charges thus wiping them. This happens near instantly, it’ll be a process that will signal it’s finished within a minute and takes much less time than that.

If you want to be extra paranoid I suppose you could follow that up by encrypting the entire (empty) drive and then doing it again though I’m not sure this has any benefit however it’s the closest to forcing the cells to be used again and then cleared again. However this does not guarantee that exhausted and worn out areas are flash are not potentially spared both. It’s unlikely for large amounts of data to be recovered from this unless your drive is failing or has been completely worn out but it’s also why if you ever store sensitive data on an SSD it’s preferable to do so in an encrypted form (such as encrypting the whole disk or partition).

I did some light reading. I see claims that wear leveling only ever writes only to zeroed sectors. Let me get this straight:

If I have a 1TB ssd, and I write 1TB of SecretData, and then I delete and write 1TB of garbage to the disk, it’s not actually holding 2TB of data, with the SecretData hidden underneath wear leveling? That’s the claim? And if I overwrite that with another 1TB of garbage it’s holding, what now, 3TB of data? Each data sequence hidden somehow by the magic of wear leveling?

Skeptical Ruaraidh is skeptical. Wear leveling ensures data on an SSD is written to free sectors with the lowest write count. It can’t possibly be retaining data if data the maximum size of the device is written to it.

I see a popular comment on SO saying you can’t trust dd on SSDs, and I challenge that: in this case, wiping an entire disk by dumping /dev/random must clean the SSD of all other data. Otherwise, someone’s invented the storage version of a perpetual motion device. To be safe, sync and read it, and maybe dumb again, but I really can’t see how an SSD world hold more data than it can.

dd if=/dev/random of=/dev/sdX bs=2048 count=524288

If you’re clever enough to be using zsh as your shell:

repeat 3 (dd if=/dev/random of=/dev/sdX bs=2048 count=524288 ; sync ; dd if=/dev/sdX ba=2048)

You reduce every single cell’s write lifespan by 2 times; with modern life spans of 3,000-100,000 writes per cell, it’s not significant.

Someone mentioned blkdiscard. If you really aren’t concerned about forensic analysis, this is probably the fastest and least impactful answer: it won’t affect cell lives by even a measly 2 writes. But it also doesn’t actually remove the data, it just tells the SSD that those cells are free and empty. Probably really hard to reconstruct data from that, but also probably not impossible. dd is a shredding option: safer, slower, and with a tiny impact on drive lifespan.

Would ‘overwrite with zeroes’ in gnome Disks work?