Skip to main content

Applies to all: Encryption!

The universal method for securely removing all data from a drive is to encrypt all the data in the first place!

Self-Encrypting Drives

Some SSD's support self-encrypting, making secure erase as simple as scrambling the stored the keys saved on disk. More info here (Arch only).

Windows: BitLocker

On Windows, set up Bitlocker on the C: drive (requires Windows Pro). This is done AFTER installing WIndows, simply right click on C: and select "Turn on BitLocker"

To erase securely, follow the Windows directions in the section: Dumb but Effective

Linux: LVM + LUKS

For non-encrypting SSD's and HDD's, Arch supports encrypted LUKS volumes, which can either act directly as a partition, or can be a container to house multiple partitions. a single LUKS volume with multiple partitions is the easiest to manage, as you can use the same key to encrypt root, /home, swap, etc.

Only the boot partition remains unencrypted. Same as self-encrypting drives, securely erasing a LUKS encrypted drive is as easy as erasing the LUKS header data from the volume (which stores the keys required to decrypt.) This method MAY NOT always be secure, however, as the SSD may shift the LVM headers around if a memory block starts to fail, so a copy of the headers may exist even after wiping. For truely secure erase, one of the other erase methods should be employed after erasing the headers.

More info here (Arch) on setting up an enecrypted volume.

More info (also Arch) on preparing/wiping an encrypted disk.

Back to top