Re: Wiping an unencrypted SSD in preparation for encryption

To: debian-user@lists.debian.org
Subject: Re: Wiping an unencrypted SSD in preparation for encryption
From: "Andrew M.A. Cater" <amacater@einval.com>
Date: Fri, 11 Jun 2021 09:40:34 +0000
Message-id: <[🔎] YMMvktBHTzdwourA@einval.com>
In-reply-to: <[🔎] 20210611043107.GA7506@axis.corp>
References: <[🔎] 20210611043107.GA7506@axis.corp>

On Thu, Jun 10, 2021 at 11:31:07PM -0500, David Wright wrote:
> I'm about to install buster or bullseye on a newly acquired laptop
> with an SSD (a first for me). I'm intending to clean (zero or
> randomise) the entire drive with dd before I start, and am
> interested in any pitfalls with that.
> 
Don't bother - as others have said, it won't help particularly
_especially_ since this is an NVME. Enjoy the speed :)

> I will also encrypt the new /home partition, but for the remaining
> partitions I need to decide whether to add mount's discard option,
> or use a weekly systemd trim, or leave it entirely up to the garbage
> collection in the SSD device itself (which is an nvme THNSN5512GPUK
> TOSHIBA, presumably an OEM model supplied for this HP Spectre).
> 
Just install Debian with an expert install: use the guided partitioning 
for encrypted LVM and set /home as a separate partition.

> The machine has 16GB of memory, so I wasn't intending to use swap.
> (It won't have to hibernate, and if push came to shove, there's
> always the possibility of setting up a swapfile or a ramdisk.)
> 
If you install bullseye, the swap file is only 1G anyway (changed default
for Bullseye).

> Background:
> 
> The July 2017 system was pre-installed with Windows 10.
> 
> I have copied the entire disk to external spinning rust, and can
> mount partitions from this image. It's difficult to foresee my ever
> wanting to reload and run this Windows system.
> 
> The drive has unencrypted information on it, either in existing files,
> or in deleted/overwritten/whatever ones (though I think that is
> irrelevant to the method for erasing them).
> 

If you really do want to erase older spinning rust, DBAN is probably good
enough - but in many cases just doing a couple of installs of Debian over
the top may be enough :)

> I don't work for the CIA**, so "basic" erasure methods are sufficient,
> ie so-called logical and digital sanitisation, but not analogue
> sanitisation/purging. I'm just encrypting stuff like personal bank
> records etc, and not looking for anything like plausible deniability.
> 
> Cheers,
> David.
> 
Just my €0.02 - all best, as ever,

Andy C.

** You mentioned the CIA:

As I was going up the stair
I met a man who wasn't there
He wasn't there again today
I *think* he's from the CIA

Reply to:

References:
- Wiping an unencrypted SSD in preparation for encryption
  - From: David Wright <deblis@lionunicorn.co.uk>

Prev by Date: Re: help me diagnose rt2800usb
Next by Date: Re: help me diagnose rt2800usb
Previous by thread: Re: Wiping an unencrypted SSD in preparation for encryption
Next by thread: Re: Wiping an unencrypted SSD in preparation for encryption
Index(es):
- Date
- Thread