HP Secure Erase for SSDs & HDDs

Safely and effectively erase sensitive data from solid state and hard drives

HP Secure Erase Overview

HP Secure Erase is a critical resource for IT administrators tasked with protecting sensitive data. It is a key component of HP system security, making it easy to sanitize local magnetic hard disk drives (HDD) or solid-state drives (SSDs) to industry standards before disposal or recycling.

Local Storage Sanitation: An Important Last Step in the PC Lifecycle

In an environment where sensitive user information is under attack at every stage of the system lifecycle, ensuring that data can be securely erased from a data storage device is paramount. Information can be vulnerable if left on a storage drive when a system is recycled, disposed of, or re-provisioned for another user. Properly sanitizing storage drives according to industry standards is a critical step in the PC lifecycle.

HP Secure Erase supports industry-standard data erasure methods for both magnetic hard disk drives (HDDs) and solid-state drives (SSDs). It is a standard feature in all HP business notebooks, supporting the methods outlined in the National Institute of Standards and Technology Special Publication 800-88. Manufacturers of industry-standard SSDs approved for use in HP business notebook products have verified that running HP Secure Erase on their SSDs fully removes all user data so that it cannot be recovered.

Erasing SSDs vs. HDDs

Using HP Secure Erase on standard HDDs involves overwriting data using a data-removal algorithm that writes multiple patterns on every sector, cluster, and bit of the hard drive. This process is documented in the Department of Defense (DOD) 5220.22-M Chapter 8 specification. This overwrite-based process is only effective on standard HDDs. Writing a predetermined data pattern to a NAND flash-based SSD does not result in an empty drive; instead, it results in a drive full of data that must be erased before new user data can be written, which massively shortens the service life.

Industry-Standard Disk Sanitation

To securely erase all user data from an SSD and restore the drive to a fresh-out-of-box (FOB) performance state, the National Institute of Standards and Technology (NIST) supports specific commands that meet the minimum guideline for media sanitization of SSDs (NIST SP800-88 Rev. 1).

Block Erase: This function is enabled only in SATA SSDs. Using the ATA command BLOCK ERASE EXT, Block Erase instructs the SSD controller to apply an erase voltage to all NAND cells of the device. This includes cells in blocks that have been retired, re-allocated, involved in garbage collection or over-provisioning, or are part of a reserved pool of spare blocks. This functionality provides a very fast, complete, and robust erasure of the SSD.
Crypto Erase: This function is enabled only in SATA SED SSDs. Using the ATA command CRYPTO SCRAMBLE EXT, this function removes the encryption key, effectively making it impossible to reconstruct any of the data on the storage device. Crypto Scramble is implemented on both HDD and SSD SED devices.

For the methods outlined in the National Institute of Standards and Technology Special Publication 800-88 "Clear" sanitation method. HP Secure Erase does not support platforms with Intel® Optane™.

Specification 5220.22-M no longer exists. The DoD has subsequently decided that secure information must be destroyed to remain secure. The NIST guidelines restate in clear terms that a two-person rule (read human verification) shall be implemented but did not establish guidelines on the method of sanitization (it could be a single wipe with dual human verification, or a single destruction with the same).

NVMe SSD Sanitization

Block Erase and Crypto Erase Sanitize Operation is a function enabled only in PCIe NVMe SSDs. NVMe does not follow conventional ATA feature sets. Instead, NVMe devices support a sanitization function within their FORMAT NVM command structure that includes BLOCK ERASE SANITIZE and CRYPTO ERASE SANITIZE operation. By setting specific bits in this command structure, a function similar to Secure Erase can be carried out.

What Data is Not Erased?

After deploying HP Secure Erase on an SSD, all data in the user space is completely and irretrievably erased, and every block in the user space is ready to accept new host-written data, which moves the drive to its highest performance state (FOB). However, some data must be left in place, including data required for normal drive operation: SSD firmware copies that reside in the NAND, all SMART data, and retired NAND block mapping tables.

Conclusion

Writing or overwriting data to a drive is the accepted practice of securely eliminating data from an HDD. However, in the case of NAND flash-based SSDs, overwriting is redundant, unnecessary, and a potentially insecure method of eliminating data. By using HP Secure Erase, users can ensure that SSD drives are completely sanitized and meet the minimum industry standards. HP Secure Erase is easily enabled through the standard F10 BIOS setup process on most HP business PCs.

Learn more at: hp.com/go/computersecurity

	HP Secure Erase for Imaging and Printing White Paper This white paper details HP's Secure Erase technology for imaging and printing, designed to meet U.S. Department of Defense 5220-22.M standards for clearing storage media. It covers three erase modes: Secure Sanitizing Erase, Secure Fast Erase, and Non-secure Fast Erase, and explains how these features are applied through HP Web Jetadmin.
	HP ProDesk 4 Mini G1i Desktop AI PC: Kompakt, Leistungsstark und KI-fähig Entdecken Sie den HP ProDesk 4 Mini G1i Desktop AI PC mit Intel® Core™ Ultra Prozessor, 16GB RAM und 512GB SSD. Ideal für Unternehmen, bietet er professionelle Leistung, Sicherheit und ein kompaktes Design für optimale Bereitstellung.
	HP Essential Security Overview: Safeguarding Commercial PCs Discover the HP Essential Security Overview, detailing the HP Security Stack for Commercial PCs. Learn about advanced hardware-enforced security features like HP Sure Start, HP BIOSphere, and HP Sure Click designed to protect business endpoints from evolving threats.
	HP Wolf Protect and Trace Datasheet: Find, Lock, and Erase PCs HP Wolf Protect and Trace is a solution for IT to manage and protect remote HP PCs, enabling users to find, lock, and erase devices for enhanced data security and asset management.
	HP EliteBook 830 G8 Notebook PC QuickSpecs Explore the technical specifications and features of the HP EliteBook 830 G8 Notebook PC, including its design, processors, displays, storage, memory, and networking capabilities.
	HP Global Privacy Statement - Your Data Protection and Rights Understand HP's commitment to privacy. This Global Privacy Statement details how HP collects, uses, shares, and protects your personal data, outlining your rights and how to exercise them.
	HP Access Control Secure Authentication for Healthcare Security Learn how HP Access Control Secure Authentication enhances security for healthcare organizations, protecting patient information at the point of care with robust authentication features and secure printing protocols.
	HP EliteDesk 800 G5 Small Form Factor PC Datasheet Datasheet for the HP EliteDesk 800 G5 Small Form Factor PC, highlighting its security, manageability, and performance features for modern workplaces. Includes detailed specifications and optional accessories.