NIST 800-88 explained: when to Clear, when to Purge, when to Destroy.
NIST SP 800-88 Rev. 1 (Guidelines for Media Sanitization) is the standard every modern IT organisation should follow for data destruction. But it's not a single method — it's a decision tree. This guide walks you through the three sanitisation levels (Clear, Purge, Destroy) and when to use each one, with examples for every storage type you're likely to retire.
What NIST 800-88 actually is
NIST SP 800-88 is a U.S. National Institute of Standards and Technology publication — freely available, widely adopted globally. It defines three levels of media sanitisation: Clear (overwrite), Purge (crypto erase), and Destroy (physical destruction).
NIST doesn't mandate which level you use. Instead, it gives you a decision tree based on storage type, data classification, and whether you can verify sanitisation has actually worked. Your job is to pick the level appropriate to your risk and your device type.
The standard also acknowledges that some storage media (old tape, encrypted drives, factory-sealed devices) cannot be safely overwritten or logically verified. For those, physical destruction is the only defensible option.
Clear vs Purge vs Destroy: what each one means
Here's a plain-English breakdown of the three sanitisation methods NIST defines.
- Clear (overwrite) · Single or multi-pass software overwrite of all addressable storage sectors. Examples: DBAN, secure-erase tools. Renders data unrecoverable via normal read operations. Works for HDD, some SSDs. Does NOT work on encrypted or inaccessible sectors.
- Purge (cryptographic) · Destruction of the encryption key, secure-erase command, or firmware-level wipe. Renders encrypted data cryptographically unrecoverable without the key. Works for modern SSDs with built-in secure-erase, encrypted devices, and storage with key-based erasure. Faster than overwrite. Verification is harder.
- Destroy (physical) · Disintegration to particle size, shredding, incineration. The only method that guarantees data is physically inaccessible. Required when Clear and Purge are not verifiable or not available.
Which method for which device?
HDD (spinning disk)
Clear (multi-pass overwrite) is standard. Purge not applicable. Destroy if overwrite fails or data was encrypted. Verify clearance with post-wipe disk sampling.
SSD (SATA, M.2)
Purge (TRIM/secure-erase command) is preferred. Clear not reliable due to wear-levelling and spare sectors. Destroy if secure-erase is unavailable or device is encrypted.
NVMe (PCIe)
Purge via secure-erase command (cryptographic erase of key) is standard. Verify with vendor docs that secure-erase is supported. Destroy for factory-encrypted or key-locked devices.
Tape (LTO, DLT, legacy)
Clear not applicable (no addressable sectors). Purge not feasible (no crypto). Destroy (shred) is mandatory. Verify tape was included in shred batch via barcode or serial tracking.
Optical (CD-R, DVD-R, Blu-ray)
Clear and Purge not applicable (data is write-once). Destroy (shred, burn, or incinerate) is the only option. Batch shred with serial-number tracking.
USB/Flash drives
Purge (via secure-erase if supported) is preferred. Clear (overwrite) may not reach all sectors due to wear-levelling. Destroy (shred) is safest for high-sensitivity data or if verify-fail.
How to pick the right method
NIST's decision tree is contextual. Here's how to apply it to your own devices.
- Step 1: Classify the data · How sensitive is what was on this device? Public data can use Clear. Customer data should use Purge. Encryption keys, credentials, or production secrets should use Destroy.
- Step 2: Check storage type · Can this device type be safely overwritten? HDD and some SSDs: yes. Tape: no. Encrypted NVMe: requires key destruction, not overwrite.
- Step 3: Verify ability · Can you verify that Clear or Purge actually worked? For HDD + Clear: yes, via post-wipe sampling. For SSD + Purge: maybe, depends on vendor API. For tape: no — you can't re-read the tape after a 'purge' to confirm.
- Step 4: Choose method · If verify=yes and sensitivity is low/medium: Clear or Purge. If verify=no or sensitivity is high: Destroy. If data was encrypted and key was destroyed separately: Purge + key destruction is acceptable; Destroy is safer.
Per-asset method selection
When you're building a disposal project, use this checklist to document method choice per asset or asset class.
- ♦ Device type: HDD / SSD / NVMe / Tape / Optical / USB / Other
- ♦ Capacity: GB/TB (for reference)
- ♦ Data classification: Public / Internal / Confidential / Secret
- ♦ Was it encrypted at rest? Yes / No
- ♦ Encryption key: still available? / lost / destroyed separately?
- ♦ Chosen method: Clear / Purge / Destroy
- ♦ Rationale: why this method (e.g. 'Purge: SSD with hardware secure-erase support; data classified Confidential; key destroyed during device wipe.')
- ♦ Verification method: sampling / log review / batch batch ID / physical inspection
NIST 800-88 pitfalls to avoid
- Assuming all SSDs support secure-erase. Many cheap or legacy SSDs don't have the TRIM/secure-erase command. You'll overwrite the drive or shred it instead.
- Using Clear on encrypted data. Overwriting encrypted data doesn't destroy the encryption key. The key may still be recoverable. Purge the key first, then clear; or just destroy.
- Not documenting per-device method. 'We destroyed all devices to NIST 800-88 standard' is vague. You need: serial #, method, reason, date, operator, witness.
- Assuming 'multi-pass' is always better than 'single-pass'. For modern HDD, single-pass overwrite is sufficient for most data. Multi-pass adds time and wear; reserve it for high-sensitivity devices or slower facilities.
- Mixing verification with faith. NIST says 'verify.' Don't assume the wipe tool actually worked just because it said 'complete.' Spot-check a device post-wipe to confirm sectors are zeroed.
Read next
Data Destruction Service
Clear, Purge, and Destroy per NIST 800-88 with per-job Certificates.
Read more →Data Destruction Compliance
How NIST 800-88 aligns with PIPEDA Schedule 1, Principle 4.7 (Safeguards), OSFI B-13, and other frameworks.
Read more →Request a Quote
Send asset list, we quote method and timeline in 2 hours.
Read more →Maxicom Canada — frequently asked
Is DoD 5220.22-M (the old U.S. standard) still acceptable, or should we use NIST 800-88?
DoD 5220.22-M is older (pre-2000s) and was designed for spinning disks. For modern drives (SSD, NVMe), it's overkill and not supported by most tools. NIST 800-88 is newer and covers all storage types. Use NIST 800-88. If you have legacy HDD, DoD 5220.22-M multi-pass is fine, but NIST single-pass Clear is also defensible and faster.
Can we use a free tool like DBAN or Eraser, or do we need commercial software?
Free tools are fine if they implement Clear (overwrite) correctly and your operators are trained. DBAN is NIST-aligned. What matters is the evidence: a per-device log showing what was wiped, when, and by whom. The tool brand is secondary. For a professional ITAD job, many vendors use proprietary tools because they produce auditable logs and tie to serial numbers automatically. For in-house disposal, DBAN + a spreadsheet log is defensible.
If we destroy the encryption key but don't wipe the drive, is that enough?
For practical purposes, yes — without the key, the encrypted data is inaccessible. But NIST 800-88 and most compliance frameworks prefer Purge (wipe the key AND securely erase the sectors) or Destroy. 'Key destruction alone' is defensible if documented, but it puts risk on key-recovery technology improving faster than expected. Better to do both: destroy the key, then purge or destroy the device.