Does encrypting full drive with BitLocker secure-wipe the drive?

Question

Say I have a storage device that I want to use with my Windows 10 machine. I have some sensitive data on the drive and I would like to wipe the drive before using it. Normally I just use dd to fill the drive with /dev/zero or /dev/urandom from a Linux machine. I know that's not the most secure, especially for flash storage, but it should be enough in my case.

But if I am planning to encrypt it with BitLocker in Windows anyway, and select the "encrypt entire drive" option instead of "encrypt used space only", is it necessary to wipe it with dd beforehand? Or does BitLocker essentially secure-wipe it when it encrypts the whole drive?

Does the same answer apply to other full drive encryption methods such as LUKS?

Answer 1

Yes, encrypt entire drive with Bitlocker should be between as secure as doing a dd with /dev/zero and /dev/urandom. (using /dev/urandom is theoretically a little more secure then /dev/zero, but not a practical concern here).

Like with dd, the parts of the disk that are overprovisioned won't be wiped/encrypted initially - so there may be fragments that can be read unless/until those are overwritten.

The important part is the "encrypt entire drive" which will encrypt everything.

Doing a standard luksformat /dev/devname will not encrypt the entire drive. (I just tried this). You would want to "zero out" the empty space on the mounted drive after formatting it.

For that matter, if you did not encrypt the entire partition it would likely be better to dd /dev/zero to a file on the encrypted drive and then delete that file (even under bitlocker) - so that the underlying disk is filled with randomish data, rather then straight zero's.