1. Field
The present invention relates generally to protecting sensitive data from undesired recovery in a storage device having wear leveling.
2. Background
Solid state storage devices using flash memory are becoming prevalent due to advantages in performance, robustness, and power consumption. Flash memory is susceptible to wear as a result of repeated write and erase operations that are inherent in particular data storage applications including hard disk drive replacement applications. Read operations do not cause significant wear.
A storage device having flash memory is often organized into physical storage blocks having hundreds or thousands of addressable storage locations. A typical workload in a disk drive replacement application may be markedly asymmetric, meaning that some addresses are written to much more often than others. A technique of “wear leveling” is generally applied to prevent any particular storage block from reaching its maximum number of erase cycles significantly before other storage blocks, and thus prematurely limiting the longevity of the storage device. An entire physical storage block is erased in a “flash” operation. Thus, to overwrite data in a physical storage block, the entire block must first be erased with a flash operation before the new data is written to the storage locations.
Wear leveling may use a different underlying physical storage block, at different times, to represent a particular logical address. Thus, an operation to overwrite an initial value in a particular storage location of an initial physical storage block may result in the new value being written to a storage location of a different available physical storage block. Although an address pointer would now point to the new storage location with the new value, the initial value may remain in the storage location of the initial physical storage block until sufficient storage locations are “overwritten” to cause a cleanup operation that moves any remaining valid data to storage locations in an available physical block and flash erases the initial physical storage block. In the meantime, an attacker may recover the initial value before the cleanup operation.
Worse still, when a physical storage block approaches failure, it is taken out of service by the wear leveling algorithm. The sidelined physical storage location may never be erased and thus may retain its contents for the life of the storage device.
There is therefore a need for a technique that protects sensitive data from recovery in a storage device having wear leveling.