The siren has sung and you've finally succumbed to her call: You're the proud owner of a shiny new PC; a faster, better SSD; or a bigger, better hard drive. It's time to toss your old equipment in the trash and start playing with your new toys, right? Not so fast.
First you need to clean the data off your old drives so you don't become a victim of identify theft. Simply deleting the data off your hard drive doesn't actually delete it; it basically just hides it from immediate view. To truly hide the data on your storage device and protect yourself against identity theft, you need to take much more drastic (and time-consuming) measures that overwrite your drive space with ones and zeroes. That's where this guide comes in.
Different technology and scenarios call for different tools. We'll identify the best secure-erasing utility for every job, no matter what type of drive you're using—even USB flash drives. If you want to erase only specific files, we'll show you how to do that, too. Best of all, every solution discussed is free.
Before You Begin
Back Up Your Data! Once these programs get ahold of your drive, you can't go back for a forgotten file. And if you're going to erase a laptop's hard drive, be sure to plug the notebook in before you start. If the power goes out in the middle of a disk wipe, it could spell disaster for the drive.
Let's Talk Terminology. Drive-wipe utilities specify how many "passes" the software makes. Each pass signifies a complete overwrite of the data, so a utility that makes three passes overwrites your data with ones and zeroes three separate times. The more times you overwrite your data, the less likely it is to be recovered. Some utilities support "Gutmann"-level protection with 35 passes, but three passes is enough for the U.S. Department of Defense's "Short" specification and for numerous militaries around the globe.
Remember, you also have the option to simply encrypt your entire drive and throw away the (encryption) keys rather than securely erasing everything from the drive. Disk encryption is pretty robust these days and this method should suffice in general circumstances—but why take chances? Encrypting drives and wiping drives each take a big chunk of time, so you might as well erase the data completely.
Note that if you do choose to erase your data with any of these methods, you do so at your own risk—which is why we advise making a backup before you begin. Nevertheless, we have used all of these methods successfully in the past.
Encrypt, Reformat and Encrypt Again
Full disk encryption is built into Windows (Vista, 7, 8, and 10) and Mac OS X. The versions on both OSs work on any attached drive. However the Windows encryption tool - BitLocker - usually requires a system with a TPM (Trusted Platform Module) chip. If your system doesn't have TPM, you won't be able to access BitLocker or you'll get an error message if you try (This varies with Windows releases and versions, so don't be surprised at what you get).
To try BitLocker, go the Control Panel, click System and Security, and then click on BitLocker Drive Encryption (Pro Versions Only). Select the drive and start the process. Encryption will take hours on a large disk, but you should be able to do other work on the system while encryption completes.
If you don't have a TPM chip, or the right version of Windows, you can still erase a drive by performing a standard - NOT quick - format of the drive. Go to Control Panel, click Computer Management, click Storage, then Disk Management, then the drive you want to erase. Right click on the disk, choose New Simple Volume, and let the wizard guide you, until you get to the Format window, where you'll make sure that Perform a quick format is NOT checked.
A standard format overwrites the entire drive and, on a hard drive, will take hours. If a hard drive format takes less than a minute, go back and make sure you're doing a standard format.
The Mac OS FileVault 2 (10.7 and later) function is accessed from System Preferences/Security and Privacy/FileVault. Choose Turn On FileVault, select a password option, enable any other accounts you want to access the drive - in this case none - and click Restart. The encryption process will begin and, like Windows, will take some hours if you have a large drive.
Encrypted. Now what?
After your drives are encrypted, you can now reformat the drive as a new drive, and encrypt it again. Since the drive is now empty, the second encryption will be much faster.
The second encryption ensures your first encryption key - which is usually kept on the drive - is overwritten. A zealous decrypter could recover the key and decrypt your data. But with the second encryption they can only recover the second key, and, since the older data is also encrypted, they still can't read it.
Securely Erase Specific Files With Eraser
If you need to delete only specific files and folders rather than entire drives, the open-source Eraser is the tool for you. Just boot up the program, click the arrow next to the 'Erase Schedule' option at the top of the screen, and select New task. From there, a window pops up with the task and time-scheduling options. Click Add Data to select the files to wipe and choose an erasure method (I usually go with the DoD three-pass option). Get it here. For Win 10.
An Eraser option also appears when you right-click on a file in Windows Explorer, allowing you to permanently delete files quickly and easily.
Eraser has a ton of advanced scheduling and file options if you want to securely wipe specific files or sectors of your hard drive on a regular basis. Be careful while you tinker with the finer settings, though—you don't want to accidentally wipe something important. Also note that Eraser works only with mechanical hard drives, as the wear-leveling algorithms in solid-states drives (SSDs) negate the utility's ability to securely wipe information.
Securely Erase Your USB Flash Drive
Did you think using Erase was simple? Roadkil's Disk Wipe is even easier, and it works just fine on USB flash drives as well as traditional hard drives. Simply download, unzip, and boot the itty-bitty application, and then select a drive and type in the number of passes you'd like the program to make (Again, we suggest at least three). Choose to either wipe the disk or fill it with junk data, click Erase, and you're done. Roadkil's Disk Wipe hasn't been updated in years, but it hasn't needed to be—it just works. Be sure to select your operating system when you download the utility. Get it here, Win 7, Win 8.
A Note on Whole-Disk Wiping Software: Wiping entire drives requires slightly more complicated solutions than the easy-to-use apps mentioned previously. Since you'll be deleting the data from the drive that likely holds your PC's operating system, most tools that wipe whole drives require you to move the program to a flash drive or create a bootable disc from an .iso file.
To ensure that things run smoothly, you should also dive into your BIOS settings and make sure that your drives are set to IDE mode.
Securely Erase a Mechanical Hard Drive With DBAN
DBAN—a time-tested option for erasing HDDs that's loved by geeks around the world despite the fact that it hasn't been updated in years. Once you've downloaded it and burned the .iso to a disc, insert the disc into your PC and tell your computer to boot to the optical drive rather than your hard drive. If you're hoping to erase a RAID-enabled hard drive, you'll need to disassemble the RAID volume and set each disk to JBOD mode before you start, as well. Get it here.
Once DBAN is up and running in all its blue-and-white glory, you simply select which disk to wipe and press the M key on your keyboard to select an erasure method. The three-pass "DoD Short" is (still) my preferred method, though more-robust options are available. Press F10 to start the wipe once everything looks good. Depending on the method you choose and the size of the disk, erasing the data can take hours or even days. Bring a sandwich, or better yet, walk away and do something else while DBAN does its magic.
Securely Erase a Hybrid Drive or SSD With Secure Erase
Wiping data off of an SSD is a little different than erasing data from a HDD thanks to the wear-leveling algorithms used to write data evenly to an SSD. To securely erase all the data on an SSD, you use a command—called Secure Erase, appropriately enough—that's built into the firmware of all modern SATA drives and older PATA/IDE drives. Some SSDs ship with the ability to initiate secure erase, but if your drive doesn't, two top third-party programs that can activate the command and wipe SSDs are the Center for Magnetic Recording Research's Secure Erase Tool. Get it here.
To run the CMRR's Secure Erase Tool, you'll need to download the utility and then transfer the file to a flash drive or CD and boot to it directly. Type hdderase in the DOS prompt and press Enter to start the wipe. The utility works on SSDs and mechanical hard disks alike, which makes it perfect for use with hybrid drives.
More Secure Than External Wipers
Since it is internal to the drive, it doesn’t exact much overhead compared to external wipers like the open source Boot and Nuke or similar commercial products. Even better, it is more secure, protecting the data from keyboard (file recovery utilities) attacks and laboratory attacks.
In fact, NIST (National Institute of Standards and Technology) rates Secure Erase’s effectiveness on a par with degaussing a hard drive. Degaussing (strong magnetic field) is losing favor because of a combination of increasing media coercivity and improved magnetic shielding. Once HAMR (Heat Assisted Magnetic Recording) arrives, it may be practically impossible to degauss a drive short of a nuclear weapon’s electro-magnetic pulse. Then we’ll likely be down to Secure Erase and physical destruction as NIST-approved methods of sanitizing disks.
A Blunt Instrument
Secure Erase doesn’t give you many choices: it erases all the user space on the drive, one track at a time. It can erase HPA (Host Protected Area) or DCO (Device Configuration Overlay) areas, if any, as well. Some drives implement an enhanced Secure Erase which instead of writing zeros writes a pattern set by the vendor and that overwrites all bad blocks as well.
When the Process is Done Your Drive is Empty and Ready for OS Formatting.
But Wait! There’s More!
Dr. Gordon Hughes has created a utility that enables Secure Erase on Windows machines, included in the download above. This utility is for experienced storage heads and is not for the timid.
Dr. Hughes has also co-authored a paper (pdf) called Data Sanitization Tutorial that gives a brief, 12 page overview of the requirements and options for secure data elimination. Get it here.
If you are in government, or deal with those who are, you should also check NIST’s (National Institute of Standards and Technology) special Computer Security publication page. Of special interest is publication 800-88 “Guidelines for Media Sanitization” which covers disks and other media as well. Get it here.