I have an NVMe SSD, and I am trying to determine if it is capable of performing an effective “Instant Secure Erase”, similar to self-encrypting HDDs wherein this is done via a Sanitize - Crypto Erase
command. I want to be able to decommission or repurpose the drive, moving it to another system if needed, in a manner that is safe. Traditional Overwrite methods are unacceptably slow.
For clarity, this topic is specifically about the SANITIZE command functionality in cryptographic erase mode.
I could find almost no information about what models supported these features, so I just purchased one. I am using nvme-cli. Output has been formatted for the forum.
# nvme list
Node: /dev/nvme0n1
SN: S5#####
Model: Samsung SSD 970 EVO Plus 1TB
Namespace: 1
Usage: 0.00 B / 1.00 TB
Format: 512 B + 0 B
FW Rev: 2B2Q####
# nvme id-ctrl -H /dev/nvme0n1
[…]
sanicap : 0
[2:2] : 0 Overwrite Sanitize Operation Not Supported
[1:1] : 0 Block Erase Sanitize Operation Not Supported
[0:0] : 0 Crypto Erase Sanitize Operation Not Supported
According to nvme-cli, the Crypto Erase method of Sanitize is not supported by this device. However,
fna : 0x5
[2:2] : 0x1 Crypto Erase Supported as part of Secure Erase
[1:1] : 0 Crypto Erase Applies to Single Namespace(s)
[0:0] : 0x1 Format Applies to All Namespace(s)
Specifically mentions Crypto Erase as supported “as part of Secure Erase”.
What does this mean?
- Does this mean any “Secure Erase” command will default to using the Crypto Erase method?
- How is it possible to support Crypto Erase as part of Secure Erase but not Sanitize?
- Is
Crypto Erase Sanitize
more thorough/secure thanCrypto Erase Supported as part of Secure Erase
? - What is the difference?
The fna
section the output above indicates the capabilities of the NVM Format command. So, supposedly I can achieve a Crypto Erase by Format
, but not Sanitize
.
Testing this, attempting a Sanitize with Crypto Erase:
# nvme sanitize /dev/nvme0n1 -a 0x04
NVMe Status:INVALID_OPCODE: The associated command opcode field is not valid(1)
Makes sense, it said it was unsupported. And attempting a Format with Crypto Erase:
# nvme format /dev/nvme0n1 --ses 2
Success formatting namespace:1
This is also consistent with the reported feature set. It also completes in less than 1 second, whereas --ses 1 (block erase) takes about 10 seconds. Consistent with what I would expect from a true Crypto Erase and Block Erase.
But my understanding is that a true Crypto Erase involves dropping the key used to encrypt all data. That would imply this consumer drive is self-encrypting. That seems unlikely on this consumer device(?), especially at these incredible data rates (1-4 GB/sec). Am I behind the times? Is this a standard feature now and if so, why is Sanitize not supported, if the mechanism is there?
This is straight out-of-box. I have issued no other configuration commands myself. Debian host.
Is this a “real” Crypto Erase, and is this a self-encrypting device?
Thank you all for your insight.