I have a ThinkPad E580 laptop with a defective (1) NVMe SSD drive, so Lenovo sent me a replacement unit; I have to swap it and send back the faulty one. I want to wipe it before, to make sure nobody can recover my personal data, but I don't know how.
The disk is encrypted with BitLocker (2) (at least the main partition, there are also two system/recovery partitions which aren't). I think that the decryption key is not stored in the disk but in the TPM, which is a chipset in the motherboard. Since I'm only sending back the SSD, it should be secure? Except... there is also the recovery key, to be used in case the TPM is cleared. I didn't set up BitLocker, it was already installed and set up on the computer when I bought it. So, I guess Lenovo had access to said recovery key when they installed Windows 10, right? They probably didn't write it down, but still, maybe just sending the drive is not a good idea after all.
How can I wipe or reencrypt the SSD or whatever, so the data is unrecoverable? Please notice that I need to send it back to them, so I can't just smash it with a hammer or burn it.
I asked Lenovo (3) if they had a SSD secure erase utility and they said they don't. Google disagrees, but maybe that's a deprecated tool, or it's problematic in some way? Or maybe the customer service guy was just lazy.
I should mention that I currently have a second SSD drive installed in the same computer, BitLocker encrypted too, and I don't want to lose the data in there (I have backups, but restoring them is a loooong process). I wouldn't mind disabling BitLocker on it though... it only protects me from somebody stealing my SSD without taking also the rest of the laptop (which would grant them the TPM and the ability to decrypt it), right?
Edit:
(1): The drive is (suspected to be) defective, because sometimes the laptop will have a blue screen of death, then reboot itself and won't be able to recognize the disk (which means, no Windows for me). Once I turn off and on again the laptop, it will work again normally. So yes, it may have some defect, but it's usable and completely readable.
(2): Apparently, what I have is BitLocker Device Encryption, which isn't the same as plain BitLocker (the more I try to understand, the more confused I get!). Windows just says BitLocker cyphered, though. But since my recovery keys were automatically uploaded to my OneDrive account, I guess it's "Device Encryption".
The laptop has TPM 2.0, and I guess the drive decryption key must be stored there, because I don't have to enter a pin, or password, or USB key, or anything, to boot up. Only my Windows credentials (fingerprint, pin or password), but by that time the computer has obviously been able to decrypt the drives.
(3): Lenovo assembled and sold the laptop, but that's just coincidental; I was looking for a Lenovo secure erasure tool because they are also the SSD manufacturer in this case. And I read on many tutorial pages and blog posts, that the old hard drive way of just writing the whole disk with random 0s and 1s a few times, wont work for SSDs, and instead one should try a tool specifically designed by the manufacturer, which will just tell the disk "OK, from now on, consider yourself empty".
No comments:
Post a Comment