Why Flash Storage Complicates Data Destruction
Flash-based storage has become ubiquitous in modern computing. From SSDs and NVMe drives in computers to eMMC chips in mobile devices, USB flash drives, SD cards, and embedded flash in IoT devices, flash memory is everywhere. While this technology delivers excellent performance and reliability, it introduces a set of data destruction challenges that do not exist with traditional magnetic storage.
Understanding these challenges is essential for any organisation that needs to ensure complete data elimination from flash-based devices.
The Fundamental Problem: Write Behaviour
The core challenge with flash storage stems from how NAND flash memory handles write operations. Unlike magnetic media, where data can be overwritten in place, flash memory cells must be erased before they can be written to again. And erasure happens at the block level (typically 256KB to several megabytes), while writes happen at the page level (typically 4KB to 16KB).
This asymmetry between erase and write granularity means the flash controller must constantly manage data movement behind the scenes. When a page needs to be updated, the controller writes the new data to a different physical location and marks the old location for later erasure. This process, managed by the flash translation layer (FTL), means there is no simple one-to-one relationship between the logical addresses visible to the host system and the physical locations where data actually resides.
Wear Levelling Creates Data Remnants
To extend the lifespan of flash memory, controllers distribute write operations evenly across all available cells through a process called wear levelling. This means that even if you overwrite a file’s logical location, the original data may still exist in a different physical location that the controller has not yet erased.
Wear levelling operates transparently and continuously. Data is constantly being moved between physical locations without any visibility to the operating system or user. A conventional overwrite operation that targets logical addresses simply cannot guarantee that all physical copies of the data have been eliminated.
Over-Provisioning Hides Data
Flash storage devices contain more physical capacity than they report to the host system. This extra capacity, known as over-provisioning, is reserved for the controller’s internal operations including wear levelling, bad block management, and garbage collection. The over-provisioned space is not accessible through the standard host interface.
Data that was previously in user-accessible space may have been relocated to over-provisioned areas as part of the controller’s housekeeping. Standard overwrite operations cannot reach this space, creating potential pockets of recoverable data that persist even after a conventional wipe.
Bad Block Management
When flash cells wear out or become unreliable, the controller marks them as bad blocks and stops using them for new writes. However, the data that was last written to those cells remains in place. Since the blocks are excluded from normal operations, they are also excluded from overwrite-based sanitisation. Any data residing in retired bad blocks is effectively invisible to conventional wiping tools.
The number of bad blocks increases over the life of the device, meaning older flash storage may have more pockets of inaccessible data than newer devices.
Garbage Collection Timing
Flash controllers use a background process called garbage collection to reclaim space from blocks that contain a mix of valid and invalid pages. The timing and behaviour of garbage collection varies between manufacturers and firmware versions. There is no guarantee that garbage collection will erase all remnant data in a predictable timeframe.
Some wiping approaches attempt to trigger garbage collection by filling the drive to capacity with new data, but this does not guarantee that all physical cells have been refreshed, particularly in over-provisioned and bad block areas.
Effective Sanitisation Approaches
Given these challenges, effective flash storage sanitisation requires methods that work at the firmware level rather than through the host interface.
Firmware-level commands: The most reliable software-based approach uses the storage device’s own firmware to perform the sanitisation. ATA Secure Erase and Enhanced Secure Erase for SATA devices, NVMe Sanitize for NVMe devices, and eMMC Secure Erase for embedded flash all instruct the controller to erase all cells, including those in over-provisioned and wear-levelled areas. These commands are designed to address the flash-specific challenges that host-level overwrites cannot. See our guide to NIST 800-88 for more on how these map to sanitisation levels.
Cryptographic erasure: For devices with hardware encryption, destroying the encryption key renders all data cryptographically inaccessible regardless of where it physically resides on the flash. This sidesteps the challenges of reaching every physical cell by making the data unreadable even if it persists.
Physical destruction: For the highest assurance, physical destruction of the flash storage to an appropriate particle size ensures that no data can be recovered. For flash devices, this means reducing the NAND chips to fragments small enough that individual cells cannot be read. Industry guidance suggests particles no larger than 2mm for high-security applications.
Device-Specific Considerations
Different flash-based devices present varying levels of difficulty for sanitisation. Enterprise SSDs and NVMe drives generally have well-implemented firmware sanitise commands. Consumer SSDs may have less thorough firmware implementations. USB flash drives and SD cards often have limited or no firmware-level sanitise capabilities. Embedded flash in mobile devices, IoT devices, and appliances may only be accessible through the device’s own operating system. Microcontrollers with integrated flash may require specialised equipment to access.
For devices without reliable firmware-level sanitisation, physical destruction is often the only assured method.
Flash storage is fundamentally different from magnetic storage when it comes to data destruction. Organisations that apply magnetic-era thinking to flash-era devices risk leaving recoverable data on disposed equipment.