The present invention relates to nonvolatile storage devices and, more particularly, to methods for sanitizing a flash-based data storage device and to a flash-based data storage device particularly adapted to the implementation of these methods.
For as long as data has been stored digitally, there has been a need to erase classified data, from the medium in which they are stored, in a manner that renders the data unrecoverable. Such an erasure is called “sanitizing” the medium.
The most common nonvolatile data storage devices use magnetic data storage media, in which data bits are stored as magnetized regions of a thin ferromagnetic layer. It is difficult to sanitize such a medium. The usual method of sanitizing such a medium is to write over the data many times with different data patterns. This method requires a long time (minutes to hours) to perform, and cannot be guaranteed to render the old data unrecoverable. A sufficiently well-equipped laboratory can reconstruct data that were overwritten many times. Alternatively, the medium can be sanitized by degaussing it. Degaussing devices are cumbersome, power-hungry devices that are external to the system whose data storage medium is to be sanitized. Degaussing is considered safer than overwriting multiple times but is still not foolproof. The only foolproof way to sanitize a magnetic storage medium is to destroy it physically, which obviously renders the medium no longer useable to store new data.
More recently, a form of EEPROM (electronically erasable programmable read-only memory) non-volatile memory called “flash” memory has come into widespread use. FIG. 1 is a high level schematic block diagram of a generic flash-based data storage device 10 for storing data in one or more flash media 12, for example NAND flash media. The operation of device 10 is controlled by a microprocessor-based controller 14 with the help of a random access memory (RAM) 16 and an auxiliary non-volatile memory 18. Flash device 10 is used by a host device 24 to store data in flash media 12. Flash device 10 and host device 24 communicate via respective communication ports 20 and 26 and a communication link 24. Typically, for backwards compatibility with host devices 24 whose operating systems expect magnetic storage devices, flash device 10 emulates a block memory device, using firmware stored in auxiliary non-volatile memory 18 that implements the methods taught by Ban in U.S. Pat. No. 5,404,485 and U.S. Pat. No. 5,937,425, both of which patents are incorporated by reference for all purposes as if fully set forth herein.
The “atomic” operations that controller 14 performs on flash media 12 include read operations, write operations and erase operations. One important property of flash media 12 that is relevant to the present invention is that the granularity of the erase operations is larger than the granularity of read and write operations. For example, a NAND flash medium typically is read and written in units called “pages”, each of which typically includes between 512 bytes and 2048 bytes, and typically is erased in units called “blocks”, each of which typically includes between 16 and 64 pages.
Various US government agencies (primarily military) have defined standards for sanitizing flash media 12. According to DoD 5220.22-M National Industrial Security Program Operating Manual (NISPOM), every byte in flash media 12 is overwritten with the same character, and then flash media 12 are erased. According to National Security Agency (NSA) Manual 130-2, US Air Force System Security Instructions (AFSSI) 5020 and US Navy Staff Office Publication (NAVSO) 5239, “Information System Security Program Guidelines” (INFOSEC), flash media 12 are first erased and then are overwritten with random data. According to US Army Regulation 380-19, Information System Security, flash media 12 are first erased and then overwritten twice. In the first overwrite, flash media 12 are overwritten with random data. In the second overwrite, every byte in flash media 12 is overwritten with the same character. Finally, flash media 12 are erased a second time.