I have a SSD drive with LUKS encrypted partition. How to discard all data with one command? Or damage it to non-recoverable state? Even if partition is in use.
Asked
Active
Viewed 1,588 times
7
-
1`blkdiscard /dev/destroyme` wipes everything – frostschutz Mar 03 '17 at 10:53
3 Answers
5
If your SSD is encrypted with LUKS, erase the header is good enough
e.g
dd if=/dev/urandom of=/dev/sda1 bs=512 count=20480
See the following link for details
https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#Wipe_LUKS_header
daisy
- 53,527
- 78
- 236
- 383
-
will this mean that data won't be recovered even if someone have a key to storage? – NapoleonTheCake Mar 03 '17 at 10:46
-
The thing about decently encrypted data is that even losing a small part of it renders the remainder gibberish. *Especially* the header which might have told you what method was used and with which parameters. – Shadur Mar 03 '17 at 13:16
-
@Shadur What method was used and which parameters is easily guessable: there aren't many choices. – Gilles 'SO- stop being evil' Mar 03 '17 at 22:54
-
@NapoleonTheCake If somebody already has a copy of your data, you can erase your copy, but you can't erase their copy. If all they have is your password, then erasing the header is enough: your password is only a way to decrypt the data encryption key, the encryption key is stored in encrypted form in the header. – Gilles 'SO- stop being evil' Mar 03 '17 at 22:56
-
3Actually, on an SSD, if you're worried about an adversary with a bit of money (I don't know exactly how much), this is not enough, because there are probably residual copies of the header in sectors that haven't been overwritten yet. You need to use the SSD's secure erase command to get them (but beware that some SSD don't implement secure erase correctly). – Gilles 'SO- stop being evil' Mar 03 '17 at 23:02
-
3Better would be `cryptsetup luksErase /dev/sda1`, I'd think... (And of course Gilles SSD caveat applies to this too) – derobert Mar 03 '17 at 23:03
1
I find the shred command to be excellent at this. shred is a GNU Coreutils application and thus you should already have it installed in your GNU/Linux distribution.
Example:
shred /dev/sda
Details about shred:
https://www.gnu.org/software/coreutils/manual/html_node/shred-invocation.html
-
2`shred` is the wrong tool for this job. `shred` is almost always the wrong tool, but it's especially useless here: since this is an encrypted volume, all it takes is to wipe the key. Especially since the request is to do it quickly. – Gilles 'SO- stop being evil' Mar 03 '17 at 22:53
-
@Gilles Sure I see your point. But then also you need to trust the encryption. If OP don't care about the data, wouldn't it be better to just destroy all of it? – Markus Rexhepi-Lindberg Mar 04 '17 at 16:22
1
being an SSD I believe the good method would be ATA secure erase
https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase
When a Secure Erase is issued against a SSD drive all its cells will be marked as empty...
articles reference using hdparm in linux to make this happen. I am not very familiar with this so be mindful of doing a disk level erase encompassing all partitions... recognizing that you said LUKS encrypted partition. Be mindful of taking out the whole disk versus a given partition. I think the secure erase targets or can target disk sectors... partitions are over certain disk sectors so...
for an ssd with trim,
https://www.easeus.com/mac-file-recovery/ssd-trim-data-recovery.html
definitively impossible to recover data from a TRIM-enabled SSD
also see here: https://www.datanumen.com/blogs/possible-recover-deleted-files-trim-enabled-solid-state-drive/
so if trim is supported, enabled, and happens then simply deleting the data should render it not recoverable after the trim happens.
this mainly applies to an SSD connected via SATA where this all happens correctly, for ssd's connected via usb or part of a raid then things get more complicated...
Because you said LUKS encryption then I believe trim is typically disabled. So in this case you would want to simply blow away the luks partition and create a standard primary partition with trim enabled; then with an empty partition then have trim happen which will mean data not recoverable from those disk sectors the partition was on.
