Encryption can be applied to data stored on an SSD (solid-state drive). When encryption is activated for data storage on the SSD, the data that is to be written onto the SSD is encrypted, and the encrypted data is written onto the SSD. In other words, when encryption is enabled, all data is encrypted before being written onto the SSD. In some cases, when a user starts using a system, the SSD on the system can contain unencrypted data. In this scenario, some regions of the SSD (referred to as “unencrypted regions”) might contain unencrypted data, while other regions of the SSD (referred to as “encrypted regions”) might contain encrypted data. When data is written onto the unencrypted regions of the SSD, the data is written as clear text, which is unencrypted. Conversely, when data is written onto the encrypted regions of the SSD, the data is written as encrypted data.
A problem can occur when clear text is written on the SSD, because the clear text might remain hidden on the SSD for an indefinite period of time. In other words, the clear text might not get overwritten even after all other data in the SSD has been encrypted on a logical level. In some cases, the indefinite period of time can be a few days, a few months, or even a few years. Because an actual physical size of the SSD can be larger than its logical size, the SSD can have space where the clear text is written to and remains hidden. In some embodiments, the unencrypted clear text can remain “hidden” when stored in a special region used for a mapping table that maps the logical volume to the physical volume. Notably, this situation can present a security problem. Specifically, if the system with the “encrypted” SSD gets stolen, an unauthorized third party might be able to remove the physical SSD chip from the system and extract the unencrypted clear text. In other words, when the system has written unencrypted clear text on the SSD, there is no guarantee that the system can overwrite the exact physical region of the SSD where unencrypted clear text is written with encrypted data. Even if the system writes to every logical block, the system might still not be able to overwrite the block that contains the unencrypted clear text (as the actual physical size of the SSD can be larger than its logical size).
One solution to this problem involves activating encryption for the SSD and waiting for the system to complete encrypting the entire SSD before writing additional data onto the SSD. However, the encryption process can take hours or even days to complete, so this solution is very time-consuming and inconvenient. Another solution involves keeping track of writes to every single block, and whether each block is encrypted or unencrypted. For a typical system, a single block can contain 4 KB (where 1 KB=1024 bytes), so this solution would involve keeping track of every 4 KB block. In particular, the system would keep track of whether the write is performed on an encrypted block or on an unencrypted block. When the system reads data from the single block at a later time, the system determines whether the block is encrypted or unencrypted. If the block is encrypted, the system unencrypts the data and returns the unencrypted data. If the block is unencrypted, the system returns the raw data, which is unencrypted. Unfortunately, using a 4 KB block can result in a very large mapping table (e.g., 1 terabyte contains 109 KB, or roughly 2.5×108 4 KB blocks). Moreover, a large number of writes and reads associated with the mapping table over a period of time can result in a complicated mapping table that requires considerable overhead to implement.