SSD Data Destruction: Why Traditional Methods Don't Work

If your organization is still treating SSD sanitization the same as HDD sanitization, you have a problem. The techniques that reliably erase a spinning hard drive -- single-pass overwrites, multi-pass patterns like DoD 5220.22-M -- do not provide the same guarantees on solid-state storage. The underlying technology is fundamentally different, and those differences have direct implications for data sanitization.

This article explains why SSDs behave differently from HDDs at the hardware level, why traditional overwrite methods fall short, what sanitization commands actually work, what NIST SP 800-88 recommends for flash media, and how ExpungeData handles SSD sanitization in practice.

Why SSDs Are Different from HDDs

A traditional hard disk drive stores data on spinning magnetic platters. The read/write head can be directed to any sector on the platter, and when you overwrite a sector, the previous data in that exact physical location is replaced. Overwrite sector 1,000, and the previous contents of sector 1,000 are gone. This is why single-pass overwrite is effective on HDDs -- there is a direct, predictable mapping between logical addresses and physical locations.

Solid-state drives do not work this way. SSDs store data in NAND flash memory cells organized into pages and blocks. Between the operating system and those physical cells sits a layer of firmware called the flash translation layer (FTL), and it fundamentally changes the relationship between logical addresses and physical storage.

Wear Leveling

NAND flash cells have a limited number of program/erase (P/E) cycles before they wear out -- typically 1,000 to 100,000 cycles depending on the cell type (SLC, MLC, TLC, QLC). To maximize drive lifespan, the FTL distributes writes across all available cells as evenly as possible. This means that when you write to logical address 1,000, the FTL may place that data at any physical location on the drive. The next write to logical address 1,000 will likely go to a different physical location.

The implication for sanitization is significant: overwriting a logical address does not necessarily overwrite the physical cells that held the previous data at that address. The old data may still exist in the original physical location, now marked as stale but not yet erased.

Over-Provisioning

SSDs contain more physical storage capacity than their advertised capacity. A drive marketed as 1 TB might contain 1.1 TB or more of actual NAND flash. The extra capacity -- called over-provisioning -- is used by the FTL for wear leveling, garbage collection, and bad block replacement. This space is not addressable by the host operating system.

A standard overwrite operation can only reach addressable logical sectors. It cannot reach over-provisioned space. Any data that was relocated to over-provisioned areas during normal operation remains untouched by a logical overwrite, and it may be recoverable with specialized tools or direct NAND chip reading.

TRIM and Garbage Collection

When a file is deleted, the operating system sends a TRIM command telling the SSD that certain logical blocks are no longer in use. The SSD's garbage collection process will eventually erase those physical blocks to make them available for new writes -- but "eventually" is the key word. Until garbage collection runs, the data remains in the flash cells. The timing of garbage collection is controlled entirely by the drive firmware and is not deterministic.

TRIM is not a sanitization command. It is a performance optimization hint. Relying on TRIM for data destruction is not appropriate for any regulated environment.

The Flash Translation Layer

The FTL is the root of the problem. It is a firmware abstraction that makes an SSD appear to the operating system like a traditional block device, while internally managing a completely different storage architecture. Because the FTL controls the mapping between logical and physical addresses, any operation that works at the logical level (including standard overwrite tools) cannot guarantee that all physical cells have been sanitized.

Why a Single-Pass Overwrite Is Not Sufficient

Given the architecture described above, the limitations of logical overwrite become clear:

• Wear leveling means overwritten data may still exist in stale physical cells that were remapped during the write.
• Over-provisioning means a logical overwrite cannot reach all physical storage on the drive.
• Garbage collection timing is non-deterministic, so there is no guarantee that stale cells have been erased after an overwrite completes.
• Bad block retirement means cells that developed errors (and may still contain readable data) are removed from the FTL's active pool and are unreachable by logical writes.

Research has confirmed these concerns. A 2011 study by Wei et al. at UC San Diego found that single-pass overwrite on SSDs left between 4% and 75% of the data intact, depending on the drive model and FTL implementation. While SSD firmware has improved since then, the fundamental architectural limitations remain. NIST does not recommend logical overwrite as a standalone Purge method for flash media.

ATA Secure Erase vs. Enhanced Secure Erase vs. NVMe Format

Because logical overwrite is insufficient, SSD sanitization relies on firmware-level commands that operate below the FTL. There are three primary commands used in practice:

ATA Secure Erase

The ATA Secure Erase command instructs the drive firmware to erase all user data areas. On an SSD, this typically triggers a block erase of all NAND flash, including over-provisioned areas. The command is issued via the ATA command set and is supported by most SATA SSDs.

However, the behavior of ATA Secure Erase is implementation-dependent. Some drive manufacturers implement it as a full block erase; others may implement it as a cryptographic erase (destroying the encryption key rather than the data). The NIST guidance treats Secure Erase as a valid Purge method for most flash media, but notes that verification is important because implementations vary.

ATA Enhanced Secure Erase

Enhanced Secure Erase is an extension that is intended to erase all data including sectors that are marked as reallocated or inaccessible. On self-encrypting drives (SEDs), Enhanced Secure Erase typically performs a cryptographic erase, changing the media encryption key and rendering all data permanently unreadable without requiring a physical erase of every cell.

For self-encrypting SSDs, cryptographic erase via Enhanced Secure Erase is often the fastest and most thorough sanitization option, provided the drive's encryption implementation is sound. NIST recognizes cryptographic erase as a valid Purge method when the encryption meets specified standards.

NVMe Format (Secure Erase Settings)

NVMe drives use a different command set. The NVMe Format command with Secure Erase Setting 1 (User Data Erase) or Setting 2 (Cryptographic Erase) provides equivalent functionality to ATA Secure Erase and Enhanced Secure Erase, respectively.

NVMe also provides the Sanitize command, introduced in NVMe 1.3, which offers Block Erase, Crypto Erase, and Overwrite options specifically designed for sanitization use cases. The Sanitize command is preferred over Format for sanitization because it is more explicitly defined and includes progress reporting.

NIST Guidance for Flash Media

NIST SP 800-88 Rev. 2 provides specific guidance for flash-based storage media. The key recommendations include:

• Clear: Overwrite using firmware-supported methods. NIST notes that logical overwrite provides Clear-level sanitization for flash media but acknowledges the limitations related to over-provisioning and wear leveling. Clear is appropriate only for low-security scenarios.
• Purge: Use the device's built-in sanitization commands (ATA Secure Erase, NVMe Sanitize, or cryptographic erase for SEDs). Purge is the recommended minimum for most enterprise data, including data subject to regulatory requirements.
• Destroy: Physical destruction -- shredding, disintegration, or incineration -- is the only option that provides absolute certainty, regardless of drive type or firmware implementation. NIST recommends Destroy for the highest-security classifications.

The critical takeaway from the NIST guidance is that logical overwrite alone does not achieve Purge for SSDs. Organizations that rely on overwrite-only tools for SSD sanitization are operating at the Clear level, which is insufficient for most regulated data.

How ExpungeData Handles SSD Sanitization

ExpungeData's documentation platform is designed to work with sanitization tools that properly handle flash media. Here is how the process works in practice:

• Drive detection: During intake, each drive's interface type (SATA, SAS, NVMe), model, firmware version, and capacity are recorded. The system identifies whether a drive is an HDD or SSD and whether it supports self-encrypting drive features.
• Method selection: The sanitization method is recorded for each drive -- whether it was processed via ATA Secure Erase, Enhanced Secure Erase, NVMe Sanitize, or physical destruction. The NIST category (Clear, Purge, or Destroy) is documented automatically based on the method used and the drive type.
• Verification recording: Post-sanitization verification results are captured. For firmware-based commands, this includes confirmation that the command completed successfully and that a sampling read of the drive returns zeroes or a pattern consistent with a completed erase.
• Per-drive certificates: Each drive receives its own sanitization record within the certificate of data destruction. The certificate specifies the exact command used, the NIST category achieved, and the verification result. This level of detail is critical for demonstrating that SSDs received appropriate treatment.

The distinction matters for compliance. An auditor reviewing your data destruction records needs to see that SSDs were sanitized using firmware-level commands, not just overwritten. ExpungeData's certificates provide that level of specificity.

When Physical Destruction Is the Right Choice

Firmware-based sanitization commands are effective for most enterprise scenarios, but there are cases where physical destruction is the better option:

• Drives that don't support Secure Erase: Some older or low-end SSDs may not properly implement sanitization commands.
• Failed drives: If a drive cannot communicate with the host system, firmware commands cannot be issued. Physical destruction is the only option for non-functional media.
• Highest-security data: For classified or extremely sensitive data, physical destruction provides the highest assurance regardless of firmware implementation quality.
• Regulatory requirements: Some organizations' internal policies or contractual obligations mandate physical destruction for all media, regardless of type.

For SSDs, physical destruction means shredding to a particle size that ensures individual NAND flash chips are destroyed. Standard HDD shredders may not achieve a sufficiently small particle size for SSDs, particularly for M.2 form factors. Purpose-built SSD shredders or disintegrators are recommended.

Key Takeaways

SSD sanitization is not the same as HDD sanitization. The techniques that work for magnetic media do not translate to flash storage because of wear leveling, over-provisioning, and the flash translation layer. Organizations that want to achieve Purge-level sanitization on SSDs must use firmware-level commands (ATA Secure Erase, NVMe Sanitize, or cryptographic erase), and they must document the specific method used for each drive.

Treating SSDs like HDDs during data destruction is one of the most common -- and most dangerous -- mistakes in ITAD operations.

ExpungeData helps ITAD operators document SSD sanitization correctly, with per-drive records that specify the exact command used, the NIST category achieved, and the verification result. If your current process treats all drives the same, it is time to upgrade your documentation. Contact us to learn how ExpungeData handles flash media sanitization documentation.