SAFE: Fast, Verifiable Sanitization for SSDs

As users, corporations, and government agencies store more data in digital media, managing that data and access to it becomes increasingly important. Reliably removing data from persistent storage (i.e., sanitizing the storage) is an essential aspect of this management process, and several techniques that reliably delete data from hard disks are available as built-in ATA or SCSI commands, software tools, and government standards. Recently, there have been two disruptive developments in storage sanitization. The first is the emergence of flash-based solid-state drives (SSDs) that use silicon chips rather than spinning disks to store data. The second, is the rise of encryption as a means to protect data on the drive and as a means to quickly render it irrecoverable. Reliably erasing data from SSDs is challenging both because of the complex data management schemes they employ and because the built-in facilities for sanitization are sometimes buggy. We have evaluated built-in sanitization facilities by applying a sanitization technique, dismantling the drives, extracting the raw bits from the discrete flash devices inside, and searching for remnant data. The technique takes a few hours, is inexpensive, requires only moderate technical skill, and works independently of the controller. We have used this technique to show that some drives claim to successfully erased the drive when the data remains intact, leaving us with a strong conviction that firmware-based sanitization techniques must be verifiable to be trustworthy. An alternative to overwriting or erasing data is to store the data in encrypted form. When the user wishes to destroy the data, the drive destroys the cryptographic key. In theory this should render the data irrecoverable. An advantage of this technique is that it is fast. It takes a fraction of a second to destroy a cryptographic key while conventional sanitization operations on an SSD may take many seconds. In emergency situations, speed is of the essence and erasure-based techniques may be too slow.