Delete everything: how to erase data and restore the NVMe SSD to factory settings

5 min

Hello, Habr! We often talk about ways to recover data on magnetic and solid state drives, backup, create RAID’s and other tricks that help us not to be left without important information at the most inopportune moment of our digital life. But what if, at some point, we need to destroy data on one of the SSD drives and return it to its original state, as if it was just out of the box?

Or vice versa. It took you, for example, to securely erase all data on a solid-state “drive”. And so that it was impossible to restore them. And then you never know the curious people and data hunters. What to do in such situations? Is it enough to just format the SSD, like a traditional HDD (if you haven’t shamanized the “tin” firmware, of course) or will something else be required?

Unfortunately, the simple formatting of memory cells cannot be called a high guarantee of reliable data erasure. In the case of SATA drives, the ATA Secure Erase feature, which we talked about in another article, will help. But what to do with m.2 / mSATA drives? The cryptographic erase function (Crypto Erase), which is implemented on devices such as Kingston, comes to the rescue. UV500, A2000, Kc2000, Kc600. Security is one of the main functions of these drives, including 256-bit self-encryption based on the AES algorithm, compatibility with TCG Opal 2.0 security solutions, the IEEE1667 security standard, and built-in support for Microsoft eDrive and BitLocker.

With the above SSDs, end users can keep all data safe from prying eyes, even if the drive is removed from the main computer and installed in another PC. It is easy to guess that such drives are intended to be used mainly in the business environment to prevent, for example, attempts of industrial espionage. It is no less difficult to assume that in order to ensure maximum security in these drives there simply must be the possibility of erasing data forever. In our case, this function is called TCG Revert.

Self-Encrypting SSDs: How Does It Work?

Self-encrypting drives (SED / Self-Encrypting Drive) have existed on the market for many years, but in reality very few people make full use of the capabilities of these drives. Such SSDs use the encryption mechanism built into the drive controller to encrypt each file stored in flash memory cells. This hardware-based encryption method provides a high level of data security, is invisible to the user, cannot be disabled and does not affect performance.

Modern self-encrypting drives are based on the industry standard SSC V1.0 Trusted Computing Group (TCG) Enterprise. In older products, the hardware encryption mechanism would simply use the encryption key provided by the user. In the case of TCG Opal 2.0, the hardware mechanism uses a random “key encryption key” (KEK) created by a random number generator. This key is not available for any external interface and is used to encrypt MEK keys (or “multimedia encryption keys”), which are always stored in encrypted form inside the SED SSD controller.

What is TCG Opal?

The TCG security subsystem class is a hardware feature for self-encrypting SED SSDs that helps speed up data encryption on the drive. Unlike software, hardware encryption frees the processor or operating system from the load of the encryption and decryption process, so overall performance does not deteriorate. The Opal SSC specification set itself provides a set of security management standards to protect data from theft and tampering by unscrupulous individuals who may gain access to the storage device or host system in which it is installed. It is worth noting that the TCG Opal function does not work by itself, but involves installing special software on the drive (from Symantec, McAfee, WinMagic and other companies), which provides security settings and user initialization each time the computer is turned on.

The Opal SSC specifications are designed to protect data at rest when the storage device has been turned off and the user has logged out of the system. In this case, you should not associate the idle state with “sleep mode” when the user does not exit the system. As a result: you have to compromise and abandon the convenient use of StandBy mode. It is also worth considering that SED SSDs are not designed to protect against data access after the storage device has been unlocked using valid credentials.

At rest, the main area of ​​the disk is completely locked and inaccessible. However, when the system boots, the encrypted disk launches a shadow copy of the main boot partition for pre-boot identification. This shadow MBR is a small operating system that asks the user for a password from the drive, which is then transferred to the SSD controller through OPAL commands. If the password is valid, the disk is unlocked, and then the real operating system boots. As a result, only authorized users can access data on the device to which they have added password protection; This minimizes the likelihood of theft, tampering, or data loss.

How to permanently erase data from an SSD?

Some SSDs, including self-encrypting ones, simply cannot be erased completely due to this hardware encryption itself. At the same time, there is an effective solution that allows the so-called cryptographic “erasure” of information through the operation of PSID Revert. In fact, the entire cleaning procedure comes down to the process of destroying all encryption keys. Thus, the data can no longer be decrypted. Please note that this method cannot be used on SSDs without TCG Opal support. Also, it will not work if the TCG Opal and eDrive options are not activated. A more detailed manual for working with TCG Opal, in relation to Kingston drives, can be found on the official website of the company. In this article, we will only touch on the topic of the complete deletion of data from an SSD, without going into the intricacies of the preliminary settings that must be made before using Opal-compatible drives.

So …, from words to action. To erase all data from a Kingston KC2000 500GB SSD using the Revert method, you will need to designate the above “drive” as a secondary drive in Windows 8, 10 or Windows Server 2012. When everything is ready, you just need to download the utility from the manufacturer’s official website Kingston SSD Manager, install it on the main drive and run it (emergency drives with similar functionality are also provided for drives of other manufacturers, so the cryptographic erasure method will be similar). Among the settings for servicing the disk, there is an option we need to reset the drive.

You can find it on the Security tab, where you will need to select the TCG Revert command (“Returning TCG to its original settings”). To confirm access to the SSD, enter the PSID number in the text box to the right of TCG Revert – a unique 32-digit SSD identifier (you can find it on the drive itself) and activate the reset option. After the reset operation is completed, the program will display a message about the successful operation. Otherwise (if the message did not appear: for example, you made a mistake and entered the wrong PSID number), you must reset the settings again.

Based on the results of the procedure, all data on the drive will be cryptographically deleted, and the SSD will be reset to the factory settings. It remains to disable IEEE1667 support, and the drive is ready for reuse without any concern about the fact that the information on it will be restored. Moreover, you can use any compatible security application to reactivate OPAL or eDrive on such an SSD.

For more information on Kingston Technology products, contact the official The site of the company.


Leave a Reply