Is SSD raw partition overprovisioning secure?

[orif]

I have an SSD, split into 3 partitions - C (Windows), D (user files) and raw partition. The idea of the raw partition is to provide SSD overprovisioning, although there is no explicit overprovisioning option activated (like in Samsung Magician). Will the SSD write unencrypted data from C and D partitions to the raw partition or data from C is written only to C and data from D is written only to D?

[minesheep]

No new data will be written to the raw partition unencrypted after encryption, but existing data before encryption may not be properly erased on ssd no matter what you do. This also applies to for example the old password if you change it (in the future). You can't secure erase/overwrite ssd type memory. So if you already stored your personal data on ssd without encryption then it will not ever be 100% secure. You can still encrypt it and it will be a lot more secure in future (than no encryption). Sadly SSDs and SMR HDDs can't be encrypted secure. It's hardware limitation not software so commercial encryption software is not any better.

[minesheep]

Note that the ssd will not ever receive unencrypted data after encryption. SSDs are only storage devices. The data is encrypted in working memory (RAM) with CPU and then its given to SSD to be stored. When data is needed its first taken from ssd and then decrypted in the fly in RAM. RAM will lose all its data (including decrypted data) when power is off.

Documentation about SSDs: https://www.veracrypt.fr/en/Wear-Leveling.html
Doc about all security precautions: https://www.veracrypt.fr/en/Security%20Requirements%20and%20Precautions.html
Note that encrypted SSD may not be secure while unencrypted SSD is not secure.

[orif]

Thank you very much! Now, when I think about the overprovisioning issue, maybe I forgot the main question - will this raw partition ever be used for overprovisioning by the SSD after all? Because if it won’t, then I’d better format, encrypt and use this partition instead of keeping it raw.

Regarding the other issue you point out, I read about TRIM but I didn’t quite understand whether VeraCrypt handles it or TRIM should be (for security reasons) disabled for encrypted SSDs. If VeraCrypt formats (quick format preferably) an SSD before full drive encryption (and then copy my files on the newly formatted and encrypted disk) - will everything be 100% secure?

[minesheep]

You cannot erase unencrypted data off SSD once you put it here.

The problem is that for example 240gb (240 000 000 000bytes) SSD actually has 274877906944 bytes (about 275gb of storage or 2^38 bytes). You can only fill (overwrite) 240gb of it with random values or zeroes (random data can be for example veracrypt formatting producted). This leaves 34877906944 bytes or about 34gb of data unerased! You can google "How to erase SSD" or read about wear levelling, but you can't properly erase whole ssd. SSDs spread your data to that 275gb of storage but only shows you 240gb of storage you cannot manage the "hidden" 34gb, but data recovery services can take the chips off and see that 34gb of otherwise invisible storage. Should this 34gb hold your old password or your old password and your old confidential data? OOPS! Yes there is the secure erase, but how secure it is? according to https://skrilnetz.net/the-truth-about-how-to-securely-erase-a-solid-state-drive-ssd/ the built in secure erase may not be secure so there is no real way to safely erase SSD. Of course SSDs with capacity different than 240gb also uses wear levelling
120gb SSDs have real capacity of 137 438 953 472 or 2^37 bytes vs 120 000 000 000 bytes
480gb SSDs have real capacity of 549 755 813 888 or 2^39 bytes vs 480 000 000 000 bytes
and so on... this means 120gb SSD has 17 438 953 472 bytes (17,4gb) of hidden storage and
480gb SSD has 69 755 813 888 bytes (69,8gb) of hidden storage

References: https://skrilnetz.net/the-truth-about-how-to-securely-erase-a-solid-state-drive-ssd/ (secure erase is not secure, overwriting is not secure)