The short answer is:
Perhaps you can’t. Well, you can, but that means that you need to use a hammer.
The long answer:
You could use the build in ATA Secure Erase command (if your drive supports that), or you can overwrite the SSD multiple times, but…
There are studies out there showing that the data could be recovered even after overwriting multiple times.
Note that a data recovery will most likely only be possible by pulling out the flash and accessing it directly. Someone would need to put some effort into this to (maybe) get to (some of) your data.
The ATA Secure Erase command is a feature implemented by the manufacturer of a Solid State Drive.
It pretends to securely erase a SSD in just a few minutes (or less). I say ‘pretend’ as this is not always working like expected. Various scientific papers proofed that this feature is not always implemented the right way and sometimes the data is not even erased.
So you need to trust the vendor in this case, which is a bad idea in general.
Let’s say we trust those guys and use this feature to erase our SSD.
ATA Secure Erase
The drive must be connected via SATA or ESATA, USB won’t work. First we’ll check if ATA Secure Erase is supported by the drive:
hdparm -I /dev/sdx
Master password revision code = 65534
not expired: security count
supported: enhanced erase
2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
The output should look similar. We see that our drive supports 2 modes:
Secure Erase and Enhanced Secure Ersae. So what is the difference?
And again, it’s the manufacturer who would need to tell us. I asked Kingston and they answered as follows:
Secure erase overwrites all user data areas with binary zeroes. Enhanced secure erase writes predetermined data patterns (set by the manufacturer) to all user data areas.
I guess Secure Erase will do the job.
We also see that our disk in not frozen, which is good. What do we do if it’s frozen?
There is a simple solution which worked for my SSD’s. We send our system to sleep and wake it up again. This will remove the frozen status from the disk.
echo -n mem > /sys/power/state
Now we use
hdparm again to check if the drive is unfrozen:
hdparm -I /dev/sdx
Once the drive is not frozen, we can start the Secure Erase procedure.
Activating security (we can replace PASS with whatever we like):
hdparm --user-master u --security-set-pass PASS /dev/sdx
hdparm --user-master u --security-erase PASS /dev/sdx
The output will look like this and we have to wait a while:
Issuing SECURITY_ERASE command, password="PASS", user=user
That was quick, what? Our drive should be erased. You don’t trust the vendor? Nor do I.
Overwriting the drive
Multiple overwriting would be another option if we want to keep the drive.
Let’s check if there is any HPA (Host Protected Area).
This is a protected area which will not be erased if we overwrite the whole disk.
Checking for HPA:
hdparm -N /dev/sdx
We will see something like the following if HPA is disabled:
max sectors = 1565152896/1565152896, HPA is disabled
On the right side we have the real hardware sector limit of the disk, on the left side we see the value set for the HPA. Here, the numbers are the same which indicates that HPA is disabled.
So what do we do if its enabled?
We change the value to the real maximum sector count.
hdparm will do that for us.
hdparm –N 1565152896 /dev/sdx
Note that this is not permanent and will be restored after boot. Use
hdparm –N p1565152896 if you want to make that permanent.
Now we could run a
dd if=/dev/zero of=/dev/sdx to write zeros to the entire drive.
Don’t store important data unencrypted on a SSD. Disable the HPA and encrypt the whole drive from the beginning. If a data recovery would be successful, it would at least only show the encrypted data.
If you stored data unencrypted, you might go for the hammer.