Preparing NVMe SSD for LUKS encryption

So the usual way to prepare an HDD drive before encrypting it with LUKS is to overwrite the drive with sudo dd if=/dev/zero of=/dev/sd_.
On the other hand the usual consensus about SSDs is that they should not be treated like that, and the proper way is to use TRIM command. So far I found that there is couple ways of doing it, and I don’t know when and how is the best way.

What is the proper way of wiping an SSD drive before encrypting it? Is it even neccessary?
Thanks in advance.

I do not think it is necessary for an SSD to be wiped or written with zeroes especially if the SSD is brand new. Back then the “proper” procedure was to wipe with something like a DBAN (Davik’s Boot and Nuke) for about 3-5 passes to randomize whatever latent magnetism that you dont want to be recovered by an advanced data recovery facility.

These days with SSDs, I think the only reason you may need to wipe a drive is if you bought it second hand or if you had lend it to someone else if you intend to use in in an unencrypted state. Just in case the prior owner/lendee put something like prohibited content - child porn, gay porn (assuming you are in a muslim country), sextortion video, stolen CIA/NSA/FBI files, etc.

Since you are basically already writing “noise” when the drive is encrypted. The wiping is practically unnecessary. The only other advantage is to “boost” SSD read performance. From what I understand, because of the underlying SSD technology, if the SSD was pre-written with data, especially with “1s” instead of empty “0s” (or maybe just random data) SSD drive read speed increases to the normal working speed, instead of the initial read/write speeds.

1 Like

The supported way to “low-level” erase SSD is blkdiscard. For that you have to use a LiveCD, otherwise the drives are in a locked state and the command cannot be performed.

1 Like

This topic was automatically closed 273 days after the last reply. New replies are no longer allowed.