Media

Destroying SSDs: why overwriting does not work

26 December 2025 · 7 min read · DeSnipperaar

Every IT admin knows the reflex: a laptop leaves the fleet, so boot DBAN or a similar tool and overwrite the disk three times. For decades that was the golden rule. On a modern SSD that rule no longer holds. The physical layer under an SSD works fundamentally differently from a magnetic HDD, and an overwrite that was excellent on an HDD is a gamble on an SSD. This article explains why, and what the only reliable solution is.

Who this is for: IT admins, DPOs, buyers who finally want to understand why their wipe procedure does not meet GDPR article 32.

How an SSD stores data

An SSD contains NAND flash chips, split into blocks and pages. Data is written per page (usually 4 or 16 KB) but can only be erased per block (often 256 KB or more). The operating system does not talk directly to those blocks. Between the OS and the NAND sits the Flash Translation Layer (FTL), which maps logical addresses to physical locations. The FTL decides where data ends up, not the OS.

This is essential. When Windows, macOS or Linux says "write to sector X", the FTL can send that write to a completely different NAND cell, for example to spread wear.

Wear levelling: the wear distributor

NAND cells wear out. Every write hurts the cell, and after a few thousand to a hundred thousand cycles the cell is dead. To prevent always hitting the same spot, the controller rotates writes across the whole memory. If you write to logical sector address 0, the data may land in physical cell 12345. Next time on cell 67890.

Consequence: if you "overwrite the whole disk with zeros", you do not know whether you really hit all the old data. Older physical cells may still contain prior content that is no longer addressable logically but can still be read with direct chip access.

Spare cells and over-provisioning

On top of wear levelling, every SSD keeps a spare pool: cells the OS never sees, meant to replace failed cells (remapping) and to keep write performance up (over-provisioning). A 512 GB SSD often has 10 to 30 percent hidden capacity. Those spare cells cannot be reached or overwritten by any OS command. They may hold old data that can still be retrieved via chip access.

A 512 GB SSD actually contains 620 GB to 640 GB of NAND. All the space the OS does not see can hold old data that wipe programmes never touch.

TRIM: helps, but guarantees nothing

TRIM is a command the OS sends to tell the SSD that a block is no longer in use. The controller can then erase that block internally at a suitable moment. That looks like a solution, but:

TRIM is "advice" to the controller, not a guarantee. When it actually erases is up to the firmware.
Not all SSDs support deterministic TRIM (where reads after TRIM are guaranteed 0).
Spare cells are not touched by TRIM.
With RAID, encryption or older operating systems TRIM may be disabled or limited.

ATA Secure Erase: better but not infallible

The ATA Secure Erase command lets the SSD controller itself erase all cells, including in many cases the spare cells. That is considerably more reliable than overwriting at the OS level. Researchers at UCSD showed back in 2011 (paper "Reliably Erasing Data from Flash-Based Solid State Drives") that some of the SSDs tested still left data fragments after Secure Erase. Vendor bugs, firmware issues and implementation errors mean you are never 100 percent certain.

NIST 800-88 therefore classifies Secure Erase on SSD as Purge, with the caveat that success depends on manufacturer and model. Acceptable for low-risk profiles. Insufficient for GDPR-sensitive categories.

Self-encrypting drives: fast wipe via crypto-erase

Modern SSDs often support OPAL or TCG encryption. All data is encrypted with a Data Encryption Key (DEK). Disposing of the DEK makes all data unreadable. This is called crypto-erase and is done in seconds. Powerful, provided:

Encryption has always been active (not turned on later).
Key management is in order.
No firmware backdoors have been planted.
The crypto itself is strong enough (AES-256 minimum).

For high risk, physical destruction remains the safe choice. Crypto-erase is theoretically breakable if a weakness in the encryption is ever found.

SSD stock out of rotation? Destroy physically.

We shred SSDs to DIN 66399 E-4 or higher at your location. No laptop leaves your site intact. Certificate per serial number.

Request a quote

What does DIN 66399 prescribe?

The E-series in DIN 66399 applies to electronic media such as SSDs, USB sticks and memory cards.

E-2: particles up to 2000 mm². Insufficient for personal data.
E-3: particles up to 160 mm². Class 1.
E-4: particles up to 30 mm². The floor for regular personal data.
E-5: particles up to 10 mm². Special categories and financial.
E-6: particles up to 1 mm². Highly sensitive data.
E-7: particles up to 0.5 mm². Government and top secret.

For most GDPR-bound organisations, E-4 is the standard. For healthcare, financial and legal, choose E-5. Read also our article on DIN 66399 P-levels for the paper side of the same standard.

Difference with USB and SD

USB sticks, SD cards and microSD use the same NAND technology, often with simpler controllers. Many cheap sticks have no wear levelling and poor TRIM support, which makes wiping even less reliable. The conclusion is the same: destroy. See also our article on disposing of USB sticks and memory cards.

In short

Software overwriting on SSD does not touch all NAND due to wear levelling.
Spare cells stay out of reach of any OS command.
ATA Secure Erase is better but not infallible.
Crypto-erase only works if encryption has been active from day one.
For GDPR-sensitive data, physical destruction (E-4 or higher) is the only reliable option.

A batch of SSDs from lease return or end-of-life? Call us or request a quote via desnipperaar.nl. Mobile shredder, certificate per serial number, no fuel surcharge.