Deleting files on an SSD so they can't be retrieved w/o disassembling unit

Question

I'm making a master SSD that will be duplicated to other drives, which in turn will be delivered to customers. I need to make sure that customers will not be able to recover files that have been deleted on my master drive.

With a spinning magnetic hard drive, I'd overwrite all the free space with zeros. But, with an SSD, I hear that that's either unnecessary (due to TRIM deallocating unused blocks) or insufficient (due to customers unsoldering the flash chips and getting at the raw blocks behind the management system).

I don't care about my proprietary files living on in hidden, swapped-out flash blocks; I only care about what a disk cloning tool would see. I assume that any reused blocks will be erased of any old data.

FYI, I'm using a recent version of openSUSE.

(This question isn't a duplicate of any of these:

• Permanently deleting files on SSD: the answers focus on the hazard of black hats disassembling drives
• How to securely delete files stored on a SSD?: ditto
• What is the theory behind securely delete files on a SSD?: ditto
• How can I securely wipe an SSD?: wiping whole drive; I just want empty space cleaned
• Does scrubbing a ssd drive work to completely remove deleted files in situations where the trim command is not supported?: Question presumes TRIM isn't available)

This will be a bootable openSUSE Leap 15.* drive. I've been using Clonezilla to clone, and it's worked well.

Answer 1

I need to make sure that customers will not be able to recover files that have been deleted on my master drive.

Use a filesystem-aware clone. For example, partclone and ntfsclone understand the "free space map" that certain filesystems use and can simply skip cloning the blocks that the filesystem considers unused. So if you've deleted some files, ntfsclone won't even look at the sectors in which they used to be. (Though the primary goal is performance – not privacy – so these tools may not be 100% accurate; it's possible that they might still copy some "free" sectors surrounding the "used" areas.) For Linux, you can use cp -a or pax -io or rsync.

If it's an option, use file-level copy instead of block-level clone. For example, Windows has DISM with .wim images, which is how fresh Windows installations are done under the hood, and is also officially the tool for creating custom images. (That is... as long as the amount of files doesn't exceed "fresh Windows installation plus a few GB", as it gets excruciatingly slow beyond that point.)

I only care about what a disk cloning tool would see.

A disk cloning tool sees exactly the same logical "view" of the storage as the OS does.

The only regular interface a disk exposes to the computer is read/write by LBA (logical block or sector address). The computer cannot directly specify a physical flash location to read from; it always goes through the same remapping process (for HDDs as well, when they remap a LBA from a bad physical sector to a spare).

So if you overwrite a given logical sector with zeros (e.g. if you "shred" a file before deleting it), then all further read attempts from that logical sector will return zeros, and the same for any other data written to that sector. (Which is basically the disk's One Job: you write data to location X and you get the same data back from location X.)

Even though the old physical location hasn't been overwritten (assuming it's an SSD), the computer has no way of accessing it – every command that specifies the same LBA will always refer to the new physical location.

Similarly, if you issue a TRIM/DISCARD/UNMAP command and the disk's firmware returns zeroes when reading from unmapped areas, then it returns exactly the same to a disk cloning tool as well.

Some SSDs may have hidden commands (manufacturer specific) to read by physical address, but knowing those and having software to make use of them is probably on the same level as disassembling to the flash chips, anyway.