On 3/21/22, Damian Weber <dwe...@htwsaar.de> wrote: > https://lists.freebsd.org/archives/freebsd-security/2022-March/000022.html > I'd like to have an answer on a secure FreeBSD way to erase > SSDs before giving these away to someone for reusing it.
https://lists.freebsd.org/archives/freebsd-security/2022-January/000013.html All data storage devices are completely untrustworthy closed source opaque black box blobs, nor will any insurer write a policy over, nor any manufacturer indemnify, those products keying / erasure / inaccessibility claims. If you want at least some level of opensource verifiable independent "secure erase" function you have to integrate the crypto of 4 below before using the drive... 1) Buy drive [1] 2) Apply drive hardware based encryption 3) dd if=/dev/random of=drive bs=1m 4) Apply OS based full disk encryption 5) Use drive 6) Destroy OS FDE keys 7) dd if=/dev/random of=drive bs=1m 8) Run drive hardware based blackening and/or sanitization 9) Reuse, or destroy, or release if desired 2,8) Many storage devices do not offer embedded hardware encryption, and many users don't use it, some users use it in composition with the OS FDE (4) since OS's are unaudited and change, nor are opensource crypto algos guaranteed either. And there have been some news of instances where hardware crypto and/or wipe were broken thus recoverable. Defense in depth. As always... not your keys, not your crypto... https://www.youtube.com/watch?v=IwP1DOHYLaE nyknyc [1] Via secure and/or anon channels as desired to avoid interception backdooring by various actors, this is realworld and in the news since years.