[Cryptography] Magnetic media destruction question

[Darren Moffat]

> On 13 Jan 2026, at 06:51, Nico Williams <nico at cryptonector.com> wrote:
> 
> For harddrives (including solid state ones) I'd say first always encrypt
> everything (well, close to everything) on them, that way losing the keys
> is the first step to destroying the data on the drives.  

I remember an ex-colleague of Nico and I (who I think is on this list) saying “All Disks/Tapes leave the datacentre eventually”. Implying that encryption from day one of use is important and you can’t assume you will get to overwrite. Specifically because some of those disks/tapes are unserviceable when they leave and you can’t perform software based overwriting at that point, only physical destruction. 

Like you I generally recommend that OS software level encryption is performed for as much of the content as possible. Be that a block layer shim like GELI, LUKS or file system layer like ZFS (yes I maybe slightly biased on that one). Or in some cases where virtualisation or NAS/SAN is involved you might be doing both anyway. 

For “disk” level encryption If you can’t get the cipher text off the device and can verify it matches using the same keymat then don’t trust it is encrypting. 

Then if you are repurposing or destroying the drive while it still functions also tell it to do the “secure erase” step, which many drives will do by a
key change, in addition to software overwriting (but wear levelling and bad sector remapping means you likely can’t reach everywhere you previously wrote).

Then add physical destruction where appropriate.

So I wondered at the start of this thread of the reason for the smaller fragments was an attempt to address the case where software overwriting wasn’t possible. 

Darren