WipeCert
Back to blog

How-To  ·  6 min read

How to Securely Wipe an SSD (And Get a Certificate)

If you try to wipe a Solid State Drive (SSD) using the same software you used for old hard drives, you are leaving data behind. Here is how to do it correctly.

The Problem with Overwriting SSDs

Traditional data erasure software works by writing zeros or random data over every sector of a hard drive. This works perfectly for magnetic platters (HDDs). But SSDs and NVMe drives use flash memory, which behaves very differently.

The Wear-Leveling Trap

Flash memory cells degrade over time. To prevent the drive from dying prematurely, the SSD controller uses "wear-leveling" to spread writes evenly across all physical cells. When software tries to overwrite a specific file, the controller secretly writes the new data to a different physical location and marks the old location as "deleted" — but the original data is still physically there.

Because of wear-leveling and over-provisioning (hidden backup storage on the drive), software-based overwriting cannot reach all the data on an SSD.

The Solution: Firmware-Level Erasure

To securely erase an SSD, you must bypass the operating system and send a command directly to the drive's firmware. The firmware then instructs the controller to apply a voltage spike to all flash memory cells simultaneously, resetting them to an empty state.

There are two primary commands used for this, depending on the drive interface:

1. ATA Secure Erase (for SATA SSDs)

Built into the ATA specification, this command tells the drive to wipe all user data areas. An enhanced version, ATA Enhanced Secure Erase, also wipes hidden areas like reallocated sectors. If the drive is self-encrypting (SED), it simply throws away the encryption key (Crypto Erase), rendering the data instantly unreadable.

2. NVMe Sanitize (for NVMe SSDs)

NVMe drives use the PCIe bus and have their own command set. The NVMe Sanitize command is the modern equivalent of ATA Secure Erase. It guarantees that data is purged from all caches, over-provisioned areas, and user storage.

How to Generate a Wipe Certificate

Issuing these commands manually via Linux terminal (using `hdparm` or `nvme-cli`) is possible, but it does not produce the audit trail required by compliance frameworks like NIST 800-88 or GDPR.

To get a verifiable certificate, you need a platform like WipeCert:

  1. Boot the device using the WipeCert ISO, or deploy the WipeCert agent via Intune.
  2. Select the drive. WipeCert automatically detects if it is an HDD, SATA SSD, or NVMe drive.
  3. Execute the wipe. WipeCert issues the correct firmware command (ATA Secure Erase or NVMe Sanitize).
  4. Verify. WipeCert reads random sectors across the drive to verify the erasure was successful.
  5. Generate Certificate. A cryptographically signed PDF is generated, containing the drive serial number, the exact command used, and the verification hash.

Wipe your first SSD today.

Get 2 free wipes and generate a NIST 800-88 compliant certificate.

Start free trial