As bill pointed out you don't do a 3 pass wipe on SSDs or more specifically you shouldn't. That's just wasting their endurance and does nothing over NVMe's built in sanitize command. With SSDs simply deleting the mapping table or encryption key is enough to render all data on the drive non-viable. I'd also stick with one of the software suits designed to handle data sanitization like DBAN or KillDisk as you mentioned you intend to use. Other pieces of software may have a "secure erase" or wipe feature but often times this will only be designed for HDDs in that it'll do x number of writes over the data.
I've been playing around with external USB enclosures for the past week. They are very unreliable and inconsistent. And unless I have them plugged into a Thunderbolt connection, very slow. The other problem is most of them have trouble detecting the serial number of each drive which I need for documentation. It's a pain having to input the serial numbers manually in KillDisk.
Surprisingly the best luck I've had with external wiping was on an M2 Mac Mini using a Thunderbolt 4 hub.
Yes, I've also found that sometimes they prevent me from issuing sanitize or secure erase commands as well. My sample size is small though, I only have 2 external docks. I'm sure there has to be some kind of external enclosure that is reliable that is used by people who do this a lot. It can be very time consuming to install and uninstall M.2 drives if you are doing a lot of them.
To add to that, most SSDs are self-encrypting, meaning that you only need to throw away the encryption key (using an app) and data is no longer readable. Note, I'm not talking about encryption like BitLocker.
It should be noted that most consumer SEDs don't enable encryption until the user turns it on. Encryption on windows, both software and hardware, in handled by BitLocker. You can see Crucial's guide for enabled encryption on SEDs here:
https://www.crucial.com/support/articles-faq-ssd/setup-ssd-encryption-via-bitlocker
Many people will assume their data is safe when in fact encryption might be entirely disabled.
I've been led to understand that "Secure Erase" actually is the instruction to the drive to throw away that encryption key, though whether that is actually "secure" is open to definition, depending on your requirements and, in the end, threat profile.
I think "3 pass DOD wipe" has long been superseded as a standard. Really Important stuff now gets pulverized.
The actual implementation of secure erase varies a bit from vendor to vendor and depends on the drive's feature set. A different command is issued for a SATA SSD for example as compared to a NVMe SSD. More info on that here:
https://www.killdisk.com/manual/index.html#erase-concepts.html
A SED with encryption enabled could indeed just delete the encryption key and that would be acceptable. A drive with encryption disabled might just delete the mapping table and mark all blocks for deletion.
This is all new info for me. The company that supplied the NVME's is requiring the 3 pass DOD wipe with documentation. Is there a better, more secure way to "sanitize" them. A way that we would be able to prove to the company that the data is actually not retrievable. Or the only way to be sure is actually physically destroying the drive?
NIST 800-88 indicates that either secure erase or sanitize meet acceptable purge methods. Doing a drive wipe that simply overwrites doesn't actually delete all the data on an SSD:
"The mapping layers, and how the flash controller manages memory allocation, pretty much ensure that either erasing or performing a conventional hard drive type of secure erase won’t ensure all data is overwritten, or even erased at all."
That said if the company that is supplying the drives requires a specific approach, it's unlikely that you'll have much sway if they are a government organization or any company of size. I wouldn't attempt to go down that rabbit hole unless you are dealing with an small business or individual that perhaps doesn't know better. Anythign bigger has far too much inertia.
