How to securely return a BitLocker Device Encryption SSD?

Question

I have a ThinkPad E580 laptop with a defective ⁽¹⁾ NVMe SSD drive, so Lenovo sent me a replacement unit; I have to swap it and send back the faulty one. I want to wipe it before, to make sure nobody can recover my personal data, but I don't know how.

The disk is encrypted with BitLocker ⁽²⁾ (at least the main partition, there are also two system/recovery partitions which aren't). I think that the decryption key is not stored in the disk but in the TPM, which is a chipset in the motherboard. Since I'm only sending back the SSD, it should be secure? Except... there is also the recovery key, to be used in case the TPM is cleared. I didn't set up BitLocker, it was already installed and set up on the computer when I bought it. So, I guess Lenovo had access to said recovery key when they installed Windows 10, right? They probably didn't write it down, but still, maybe just sending the drive is not a good idea after all.

How can I wipe or reencrypt the SSD or whatever, so the data is unrecoverable? Please notice that I need to send it back to them, so I can't just smash it with a hammer or burn it.

I asked Lenovo ⁽³⁾ if they had a SSD secure erase utility and they said they don't. Google disagrees, but maybe that's a deprecated tool, or it's problematic in some way? Or maybe the customer service guy was just lazy.

I should mention that I currently have a second SSD drive installed in the same computer, BitLocker encrypted too, and I don't want to lose the data in there (I have backups, but restoring them is a loooong process). I wouldn't mind disabling BitLocker on it though... it only protects me from somebody stealing my SSD without taking also the rest of the laptop (which would grant them the TPM and the ability to decrypt it), right?

Edit:

(1): The drive is (suspected to be) defective, because sometimes the laptop will have a blue screen of death, then reboot itself and won't be able to recognize the disk (which means, no Windows for me). Once I turn off and on again the laptop, it will work again normally. So yes, it may have some defect, but it's usable and completely readable.

(2): Apparently, what I have is BitLocker Device Encryption, which isn't the same as plain BitLocker (the more I try to understand, the more confused I get!). Windows just says BitLocker cyphered, though. But since my recovery keys were automatically uploaded to my OneDrive account, I guess it's "Device Encryption".

The laptop has TPM 2.0, and I guess the drive decryption key must be stored there, because I don't have to enter a pin, or password, or USB key, or anything, to boot up. Only my Windows credentials (fingerprint, pin or password), but by that time the computer has obviously been able to decrypt the drives.

(3): Lenovo assembled and sold the laptop, but that's just coincidental; I was looking for a Lenovo secure erasure tool because they are also the SSD manufacturer in this case. And I read on many tutorial pages and blog posts, that the old hard drive way of just writing the whole disk with random 0s and 1s a few times, wont work for SSDs, and instead one should try a tool specifically designed by the manufacturer, which will just tell the disk "OK, from now on, consider yourself empty".

Answer 1

I have a ThinkPad E580 laptop with a defective NVMe SSD drive, so Lenovo sent me a replacement unit; I have to swap it and send back the faulty one. I want to wipe it before, to make sure nobody can recover my personal data, but I don't know how to do that.

If the device is defective then won't be able to wipe the data on it. You might want to try formatting the drive, but that is unlikely to have any success since the drive is defective.

Since you are using BitLocker, your data is encrypted, and cannot be recovered without either the key stored in the TPM or the recovery key. Once you clear the TPM, Lenovo will have no way, to recover the data on the defective nVME SSD.

I think that the decryption key is not stored in the disk but in the TPM, which is a chipset on the motherboard. Since I'm only sending back the SSD, it should be secure?

You really should verify if the key is stored in the TPM. If BitLocker is suspended, then the key would be stored on the drive itself, but without the recovery key, nobody can actually use it. Since you are sending the only the NVMe SSD to Lenovo, they have no way access to your data, since they don't have your recovery key. The only way they could get access to the key stored on the device if it's stored there, would be if they had access to your recovery key.

So, I guess Lenovo had access to said recovery key when they installed Windows 10, right? They probably didn't write it down, but still, maybe just sending the drive is not a good idea after all.

Lenovo at no point had access to your recovery key.

I asked Lenovo if they had an SSD secure erase utility and they said they don't. Google disagrees, but maybe that's a deprecated tool, or it's problematic in some way? Or maybe the customer service guy was just lazy.

The device is defective, it's unlikely even if you had attempted to do a secure erase, the operation would be successful. However, third-party tools do exist, which can securely erase the data on the device. You don't need a "Lenovo tool" to do that.

I should mention that I currently have a second SSD drive installed in the same computer, BitLocker encrypted too, and I don't want to lose the data in there (I have backups, but restoring them is a long process). I wouldn't mind disabling BitLocker on it though... it only protects me from somebody stealing my SSD without taking also the rest of the laptop (which would grant them the TPM and the ability to decrypt it), right?

The TPM only actually stores the key for the system disk. Hopefully, you have your recovery key for your secondary device that is encrypted, the recovery key that you were prompted to backup, is the only method to recover your data if something goes wrong.

If you actually have Device Encryption enabled on the device, then your recovery key was automatically uploaded to your Microsoft Account, Device Encryption, and BitLocker while similar are not the same feature.