Client: Bruce Hettema
Originally published on TechTarget
By John Edwards
Donating a used SSD may seem like a nice thing to do, but not if you want to keep your data secure. SSD disposal and recycling are more complicated than you might think.
SSD technology is evolving rapidly. As prices fall, speed and capacity continue to grow, and SSDs gain an even stronger foothold in the storage market. Despite their long lifespan, even SSDs, like their hard drive predecessors, eventually need to be replaced. When that time comes, the resilience and structure of the drives must be taken into account to securely wipe and destroy an SSD.
Safely disposing of aging or obsolete SSDs without running the risk of theft and/or unauthorized exploitation requires a bit of work. Data must be removed or encrypted, and the physical SSD itself must be disposed of. While donating used SSDs might seem like a viable alternative, some experts would strongly warn against it.
Here are some tips to ensure that you thoroughly wipe and destroy an SSD.
Secure SSD erasure
Simply deleting files and formatting the drive might not be enough to remove all of the data from an SSD. To completely remove any visible trace of data, Mark Cooper, president of tech recycling firm Revolution Recycling, suggested using an SSD-compatible multiple-pass data overwrite program. “The principle is the same as HDD erasure — write over the entire data storage device with random data — but the mechanism is different,” he said.
“Check the manufacturer’s website for a tool specifically designed for your SSD,” said Paul Bischoff, privacy advocate at Comparitech, a tech product testing and review website. “SSD makers often create their own freely available software to securely erase drive contents.”
Alternatively, one could just encrypt all the data on the SSD, throw away the decryption key and then reformat the device. “The risk of anyone recovering data and breaking the encryption is very low,” Bischoff said.
Mike Cobb, director of engineering for data recovery service DriveSavers, offered another approach to secure SSD erasure. “This involves erasing an encrypted drive, which wipes out all the files, then re-enabling encryption on the newly formatted drive,” he said. “This isn’t as good as overwriting the data, but it does make it unrecoverable in most cases.”
On the other hand, the process is generally much faster than waiting for a multiple-pass erasure program to complete its repetitive work. “To use this option, you can simply turn on FileVault in the Mac operating system or BitLocker for Windows 10 in the Pro version,” Cobb said.
When SSDs store data that’s particularly sensitive, physical destruction following a secure SSD erasure reduces the possibility of unauthorized recovery to near-zero. Unfortunately, organizations often make the mistake of treating retired SSDs like HDDs.
“HDDs are much easier to physically destroy just by drilling a hole through them, while SSDs contain multiple memory chips that all have to be individually destroyed,” Bischoff explained. “This could lead to companies leaving remnant data on retired drives and devices that could be recovered by someone else.”
Due to the way SSDs are constructed, attempts to destroy an SSD with a magnet or drilling holes into the chips can still leave data intact. “It’s best to thoroughly destroy them with a hammer so all of the memory chips contained within are pulverized,” Bischoff noted. “You could have it professionally shredded, but that gets expensive and is only really necessary for extremely sensitive data,” he added.
When shredding is appropriate, it’s important to use the right size shredder. “Since SSDs contain blocks of data that are roughly 1/2 x 1/2-inch in size, we recommend shredding SSDs in a shredder with a 3/8-inch shred width, therefore ensuring that all blocks are destroyed,” Cooper said. “Running an SSD through a large-width shredder is rather ineffective, as many of the blocks could pass through unmolested.” When using a larger shredder, Cooper recommended rerunning SSDs through the device multiple times to ensure that all of the blocks are completely destroyed.
There are also SSD destruction devices that are designed to perforate and destroy an SSD. “These devices are reminiscent of a waffle iron,” Cooper said. “Place the drive inside and close the lid.” Once shut, solid, sharp, protruding nodules will puncture or perforate the drive every 1/4 to 1/2 inches, depending on the unit’s size.
To donate or not to donate?
Cooper advised against donating used SSDs to employees, acquaintances or charities. “All retired IT equipment should be handled by a certified IT asset disposition company,” he said. “Most companies do not want to be in the business of selling their used IT gear, especially when it may contain customer or company data.”
Daniel O. Deter, manager of information security for cloud data center provider Green House Data, also recommended resisting the urge to give away old SSDs, even after a successful, secure SSD erasure. “One of the most important aspects of media sanitization is trust,” Deter said. “All sanitization methods involve manual processes, which must be performed by humans, and thus will occasionally suffer from inconsistent delivery.” Imperfect SSD erasure could leave sensitive files intact. “To ensure trust, organizations should only surrender physical control of media after it is physically destroyed.”
According to Cooper, the biggest mistake organizations make when they choose to destroy an SSD is failing to tell the disposal/recycling firm that their discarded equipment includes SSDs. “With physical destruction, SSDs should be isolated from HDDs to ensure that they are destroyed beyond recoverability,” he said. “The destruction particle size is different from HDDs, and processes such as crushing, which will destroy a hard drive platter sufficiently, are not acceptable for SSDs.”
Read more at TechTarget.