NVMe Crypto Erase and Sanitize

I have an NVMe SSD, and I am trying to determine if it is capable of performing an effective “Instant Secure Erase”, similar to self-encrypting HDDs wherein this is done via a Sanitize - Crypto Erase command. I want to be able to decommission or repurpose the drive, moving it to another system if needed, in a manner that is safe. Traditional Overwrite methods are unacceptably slow.

For clarity, this topic is specifically about the SANITIZE command functionality in cryptographic erase mode.

I could find almost no information about what models supported these features, so I just purchased one. I am using nvme-cli. Output has been formatted for the forum.

# nvme list
Node: /dev/nvme0n1
SN: S5#####
Model: Samsung SSD 970 EVO Plus 1TB
Namespace: 1
Usage: 0.00 B / 1.00 TB
Format: 512 B + 0 B
FW Rev: 2B2Q####

# nvme id-ctrl -H /dev/nvme0n1
[…]
sanicap : 0
 [2:2] : 0 Overwrite Sanitize Operation Not Supported
 [1:1] : 0 Block Erase Sanitize Operation Not Supported
 [0:0] : 0 Crypto Erase Sanitize Operation Not Supported

According to nvme-cli, the Crypto Erase method of Sanitize is not supported by this device. However,

fna : 0x5
 [2:2] : 0x1 Crypto Erase Supported as part of Secure Erase
 [1:1] : 0 Crypto Erase Applies to Single Namespace(s)
 [0:0] : 0x1 Format Applies to All Namespace(s)

Specifically mentions Crypto Erase as supported “as part of Secure Erase”.

What does this mean?

  1. Does this mean any “Secure Erase” command will default to using the Crypto Erase method?
  2. How is it possible to support Crypto Erase as part of Secure Erase but not Sanitize?
  3. Is Crypto Erase Sanitize more thorough/secure than Crypto Erase Supported as part of Secure Erase?
  4. What is the difference?

The fna section the output above indicates the capabilities of the NVM Format command. So, supposedly I can achieve a Crypto Erase by Format, but not Sanitize.

Testing this, attempting a Sanitize with Crypto Erase:

# nvme sanitize /dev/nvme0n1 -a 0x04
NVMe Status:INVALID_OPCODE: The associated command opcode field is not valid(1)

Makes sense, it said it was unsupported. And attempting a Format with Crypto Erase:

# nvme format /dev/nvme0n1 --ses 2
Success formatting namespace:1

This is also consistent with the reported feature set. It also completes in less than 1 second, whereas --ses 1 (block erase) takes about 10 seconds. Consistent with what I would expect from a true Crypto Erase and Block Erase.

But my understanding is that a true Crypto Erase involves dropping the key used to encrypt all data. That would imply this consumer drive is self-encrypting. That seems unlikely on this consumer device(?), especially at these incredible data rates (1-4 GB/sec). Am I behind the times? Is this a standard feature now and if so, why is Sanitize not supported, if the mechanism is there?

This is straight out-of-box. I have issued no other configuration commands myself. Debian host.

Is this a “real” Crypto Erase, and is this a self-encrypting device?

Thank you all for your insight.

wouldn’t shred on an nvme drive be pretty fast? on 7200rpm 500gb sata 3gbs it only takes about 40 minutes. don’t ask how I know… I would think nvme to be faster?

1 Like

With storage you’d typically use an XTS scheme to allow for random writes, which means you can parallelize crypto ops as well. AES is super cheap to implement in hardware.

Even on sata SSDs, how would you ensure lba ranges of blocks that are remapped and inaccessible no longer contain useful data?

1 Like

I believe shred is an overwrite operation. This takes too long.

This makes sense, thank you. Why would Crypto Erase Sanitize not be supported if the device has the ability to drop the key? It seems odd that this function is supported only through another command (NVM Format) which has less to do with dropping keys or securely destroying data than NVM Sanitize.

Isn’t it easier just to secure delete after disposal? And during use keep the filesystem encrypted. I don’t see any cases where continuous secure delete is superior.

Secure Erase ought to work on any SSD whether or not it uses a crypto key. Secure Erase even works on a number of hard disk drives.

If it cannot quick erase by changing the key then it will do a full disk TRIM and take two or three minutes to reset all of the Flash cells.

If it is a hard drive it will overwrite all the tracks.

That’s how it is supposed to work.

1 Like

Thank you, but I am specifically discussing functionality of Crypto Erase mode of the Sanitize command from ATA command set. Secure Erase is different command with other mechanisms.

There are three categories of sanitation methods. Overwrite, Block Erase, and Crypto Erase. Overwrite is unhealthy for SSDs, so instead they have Block Erase. Crypto Erase is virtually instantaneous, but has historically only been on SEDs (Self-Encrypting Drives).

My questions are due to the discrepancy between the different supported commands. Why is Sanitize Crypto erase not supported but Format Crypto Erase is?

This topic was automatically closed 273 days after the last reply. New replies are no longer allowed.