Jump to content

secure erase...how does it work


scotoma

Recommended Posts

Hi there,

There is a lot of buzz on the OCZ forum regarding the secure erase feature in CCleaner. Apparently, it performs some magic on their solid state drives that brings the performance of the drive back to it's "like new" level. Can you please give some insight to what this feature is doing.

Thanks!

Scott

Link to comment
Share on other sites

Fact is that Secure Erase is in face a component of the ATA specification and is integrated into all standards compliant ATA devices in production since 2001. This is not just for SSD technology but also applies to all ATA, IDE, PATA, and SATA magnetic media based hard drive devices as well.

 

Created by IBM in 1994 as a feature for the TravelStar line of drives, the Center for Magnetic Recording Research at the University of California San Diego had at the insistence of the NSA developed the current version of the Secure Erase technology.

 

Secure Erase is embedded in the drive controller microcode and is initiated by an externally issued command sequence. Once initiated, SE uses an optimized single pass process that addresses all regions of the storage media, including the Protected Service Areas (when properly launched using compatible hardware). Protected service areas include G-List, Host Protected Area, and the Device Control Overlay (search Wikipedia for a detailed description of the role of each component of the PSA).

 

Despite the fact that it is launched by external command, and is a highly effective PURGE level sanitization technology it can not be reliably launched in on most host equipment due to host controller protection of the HPA, and the fact that many BIOS manufacturers inhibit SE from being launched due to security concerns. The issue being that if virus or malware were to initiate SE, the target computer would be purged rapidly, and with no hope for recovery.

 

It is for this reason that Secure Erase is not being exploited en masse by every software vendor. Effectively, the only truly effective means to purge using SE is by using purpose built hardware such as the Digital Shredder manufactured by Ensconce Data Technology (www.deadondemand.com) or other dedicated appliance based solution.

 

For more information on SSD performance issues, an excellent paper can be found at www.anandtech.com under the storage heading. The comments are well informed, and from the hip.. truly an excellent read.

 

If you want accurate and up to date guidance on developing policy for the destruction of digital data, I had co-authored a guide with Dr. gordon Hughes of the CMRR titled 'The best Practices for the Destruction of Digital Data' which is based on a review of all available guidance collected from Government, Academic, and vendor sources, as well as, input by industry and security experts. In this guide we present hardware considerations, classification concerns, and review acceptable (and unacceptable) practice... essentially all the tools one needs to create accurate and reliable data destruction policy.

 

The paper is available as a no charge download at www.converge-net.com, select English, and go to the news page to link to the download request form.

 

I hope this helps.

 

Ryk

 

 

Hi there,

There is a lot of buzz on the OCZ forum regarding the secure erase feature in CCleaner. Apparently, it performs some magic on their solid state drives that brings the performance of the drive back to it's "like new" level. Can you please give some insight to what this feature is doing.

Thanks!

Scott

Link to comment
Share on other sites

Hi Ryk,

 

Thanks for the detailed response. I am less interested in secure erase for its security and more interested in why the performance of the SSD improves. I am familiar with the article you reference. I have read it several times in hope of learning more about this topic. OCZ has provided a utility that sends a TRIM command to the drive. This is their answer to the slow down in performance of the drive discussed in this article. The problem is that this does not work through a RAID controller. It only works with SATA drive through IDE controller mode. But, from what I have heard, the secure erase feature does work on RAID, and somehow it has a similar affect to the TRIM command. This is what is puzzling to me.

 

Scott

Link to comment
Share on other sites

  • Moderators

Hi Scott and Ryk,

 

There's a lot of interesting stuff (OK, to some...) here, but I have to say that most of the stuff on the OCZ forum went over my head. The 'Run CC and go faster' theory seems to have produced mixed results: I have no idea why any SSD performance difference either way should occur, but I'm sure the Piriform developers are looking with interest, if not amusement.

 

There seems some confusion on the OCZ forum about levels of free space wipe. As far as I know (and I am not in the pay or confidence of Piriform) wipe free space and secure delete are separate entities. Wipe free space uses one pass of zeroes (which of course under prml is coded when written on the disk - does ssd employ prml too?), and the secure delete settings don't apply whatever you choose.

 

CC certainly doesn't use the Secure Erase microcode. The papers Ryk refers to seem to show that wiping data properly is more a result of doing the job properly in the first place (hence EDT's shredder) than hammering the disk with umpteen overwrites. But this is no answer to Scott's original post.

Link to comment
Share on other sites

Augeas,

To answer your question about why the slow down in performance s...When the OS writes a file to solid state drive, the contents of the cell must first be deleted. This takes a lot longer than just a write (about 2X) Therefore, unless you have a brand new drive you are not going to see anywhere near rated performance level. There is a new TRIM feature supported by the latest ATA spec that allows the operating system to tell the drive to erase a cell after a file has been deleted. This prepares the cell for the next time it is written to. OCZ drives with latest firmware support this feature but most OS do not (i think window 7 beta does) Therefore, there is an opportunity for someone like Piriform to write a utility that does this task. OCZ provides a utility but it is not very elegant. It is a command line utility that only cleans 90% of the drive.

 

It is surprising that the Secure Erase actually helps...thats why I was looking for some details on how this feature works.

 

Scott

Link to comment
Share on other sites

  • Moderators

I don't think that anyone really knows how it works. To clarify the nomenclature, CCleaner Secure Deletion overwrites individual files, CC Wipe Free Space wipes free space, and Secure Erase (Ryk's topic) is HDD controller microcode. The OCZ forum is discussing CC Wipe Free Space as far as I can see.

 

The opinion from users is that CC's WFS fills the unused space on an hdd with largish files that either contain zeroes or are subsequently written with zeroes until the disk is full, then the files are deleted. I don't think the MFT is touched as nobody seems willing to say so (I don't use WFS). So it is effectively a full write and delete operation on all free space. I would guess that there is no special consideration in CC for SS devices, perhaps the speed up/down is due to the disk having a uniform cell deleted/not deleted pattern over the entire disk after a WFS instead of a mixture one would find in normal use.

Link to comment
Share on other sites

I think we are discussing at least 4 issues here..

 

1/ restoring performance to SSD devices (the original topic)

2/ The functional value of CCleaner referenced on the OCZ forums.

3/ The operational value of Secure Erase in restoring performance to SSD Devices (as referenced in the article references on the Anandtech.com site)

4/ How to invoke the TRIM feature on SSD devices.

 

As my area of expertise is in data destruction technology and policy, I will touch on a couple concerns related to the CCleaner and Secure Erase issues. I will send a link to this thread to Anand LaShimpi of Anandtech in hopes that he will respond to the other issues, as he is probably one of the mosr knowledgeable resources on this very topic.

 

CCleaner is a block level overwrite utility initially designed for clearing magnetic media type storage devices. The multipass overwrtite process was designed specifically for the purpose to obfuscate written data to the sectors processed assuring that all bits are processed, rendering no recoverable data at the end of the process. This process is subject to controller access level restrictions to regions that are addressable to the process running the overwrite process. Accordingly, ATA devices will not permit access to Protected Service Areas, but for the purpose of this thread, this is irrelevant.

 

Unlike Secure Erase, CCleaner can be configured to clear all free space, overwrite selected files, or process all accessible storage space. Clearly if the intent is to regain performance by clearing the free space CCLeaner is the way to go.

 

Secure Erase is an embedded single pass process that purges data on ALL regions of the media surface in magnetic storage devices, and all regions of flash in SSD hardware. When processing magnetic media, the CMRR states the process uses an optimized write signal to effectively purge all latent data from the media... in flash, we will presume that SSD manufacturers have interpreted the Secure Erase process to initialize all bits in the flash storage space. Secure Erase is not selective and can not be set to TRIM, or process only free space. It eliminates everything like a tornado in a trailer park.

 

So, from the perspective that SE will revert the drive to it's original performance by eliminating all data, the practice appears to be sound. Using CCleaner as an attempt to TRIM all abandoned legacy data from unused data blocks will most likely have an effect that will vary based on the amount of RAM being processed.

 

Just my 5 cents...

 

 

 

 

I don't think that anyone really knows how it works. To clarify the nomenclature, CCleaner Secure Deletion overwrites individual files, CC Wipe Free Space wipes free space, and Secure Erase (Ryk's topic) is HDD controller microcode. The OCZ forum is discussing CC Wipe Free Space as far as I can see.

 

The opinion from users is that CC's WFS fills the unused space on an hdd with largish files that either contain zeroes or are subsequently written with zeroes until the disk is full, then the files are deleted. I don't think the MFT is touched as nobody seems willing to say so (I don't use WFS). So it is effectively a full write and delete operation on all free space. I would guess that there is no special consideration in CC for SS devices, perhaps the speed up/down is due to the disk having a uniform cell deleted/not deleted pattern over the entire disk after a WFS instead of a mixture one would find in normal use.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.