Re: Re-use SSD - Martin Steigerwald

EcryptFS development
 help / color / mirror / Atom feed

From: Martin Steigerwald <martin@lichtvoll.de>
To: ecryptfs@vger.kernel.org
Cc: Paul van der Vlis <paul@vandervlis.nl>
Subject: Re: Re-use SSD
Date: Thu, 14 Sep 2017 15:21:13 +0200	[thread overview]
Message-ID: <1882558.NIKn6SUjoV@merkaba> (raw)
In-Reply-To: <opdsrr$7vn$1@blaine.gmane.org>

Hello Paul.

Paul van der Vlis - 14.09.17, 14:32:
> I have bought many laptops with privacy-sensitive data on /home in
> ecryptfs on the SSD. And I have promised to carefull remove the data
> before re-using.
> 
> What would you advice to do? Is it possible to overwrite the master key
> for example? Or is it a good idea to change the passphrase in a very
> long one?

Technically you can´t really overwrite it. SSDs use Copy on Write.

Also I think the passphrase in Ecryptfs just encrypts a key used to encrypt 
the data… not the data itself.

Generic hint for securely erasing SSDs.

https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

You rely on the SSD firmware tough. But I am not aware of another way to 
securely delete data of an SSD other than ATA Secure Erase. However ATA Secure 
Erase only is really safe for SSDs that use encryption like Intel SSD 320 (and 
many newer SSDs) as the SSD will overwrite the encryption keys. Many SSDs use 
encryption by default, without change using some default key (ideally randomly 
generated key that the manufacture then forgets… but manufacturers may just 
use same key for all SSDs with a certain firmware) key and no password for it.

Just deleting files doesn´t do much. At least run fstrim after deleting files. 
Thats still not as safe as Secure Erasing the whole device tough.

Thanks,
-- 
Martin

next prev parent reply	other threads:[~2017-09-14 13:21 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-09-14 12:32 Re-use SSD Paul van der Vlis
     [not found] ` <f34084a3-159d-e580-d199-ecf6acf345ff@aron.ws>
2017-09-14 13:03   ` Paul van der Vlis
2017-09-14 13:21 ` Martin Steigerwald [this message]
2017-09-14 13:38   ` Martin Steigerwald
2017-09-22 10:43   ` Paul van der Vlis
2017-09-22 11:27     ` Martin Steigerwald

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1882558.NIKn6SUjoV@merkaba \
    --to=martin@lichtvoll.de \
    --cc=ecryptfs@vger.kernel.org \
    --cc=paul@vandervlis.nl \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox