JP2022157951A - Image forming apparatus - Google Patents

Abstract

To safely erase data stored in a non-volatile memory.SOLUTION: A second non-volatile memory 22 of an MFP 1 is provided with an A drive 73 and a B drive 75. A key management application 46 is provided with security and can access key information. The B drive 75 stores a system data file that is encrypted by using the key management application 46, and the A drive 73 stores a user data file that is not encrypted. When receiving a first erasing instruction, the MFP 1 completely erases the A drive 73 to make all user data unusable. On the other hand, when receiving a second erasing instruction, the MFP 1 erases the system data file by using a file system.SELECTED DRAWING: Figure 2

Description

The present invention relates to an image forming apparatus having nonvolatile memory. More particularly, it relates to techniques for erasing data stored in non-volatile memory.

2. Description of the Related Art Conventionally, in an image forming apparatus having a nonvolatile memory, a technique for erasing data stored in the nonvolatile memory is known. For example, Patent Document 1 discloses a method of initializing a nonvolatile memory included in an image forming apparatus.

JP 2017-027244 A

2. Description of the Related Art In recent years, there are image forming apparatuses in which a file system is built in order to facilitate reading and writing data to and from a nonvolatile memory. By using the file system, the application program installed in the image forming apparatus can read and write data to the non-volatile memory without specifying the physical address where the data is stored in the non-volatile memory. can be done.

When data is deleted in this file system, the data to be deleted is out of the management of the file system and cannot be read out via the file system, but the data may remain in the non-volatile memory. Therefore, when erasing data stored in a nonvolatile memory, if safety is emphasized, it is desirable to make the data difficult to restore, such as by overwriting the entire storage area of the nonvolatile memory with dummy data. On the other hand, non-volatile memory may contain data that should not be erased. Therefore, as disclosed in Patent Document 1, a method of temporarily saving such data to another memory may be employed. A separate memory is required to store the data to be saved.

The present specification discloses a technique capable of safely erasing data stored in a nonvolatile memory in an image forming apparatus in which a file system is built.

An image forming apparatus that aims to solve the above problems is an image forming apparatus that includes a nonvolatile memory and an image forming unit, wherein the image forming apparatus includes a file used to access the nonvolatile memory. An application program that has a system and is installed in the image forming apparatus can read and write data to and from the nonvolatile memory via the file system. an application program for processing a job to operate the image forming unit using the data stored in the image forming unit; the nonvolatile memory is provided with a plurality of partitioned areas by the file system; includes a first area capable of storing first data and a second area capable of storing second data. and the specific module can access key information to encrypt data, and the image forming apparatus receives an instruction to write the second data in the second area. and executing a data write process of encrypting the second data using the specific module and writing the encrypted second data in the second area, and further comprising: When an instruction to erase area 1 is received, the storage area of the first area in the nonvolatile memory is completely erased to disable all of the first data stored in the first area. When a first erasing process is executed and an instruction to erase the second data stored in the second area is received, a second erasing process is executed to delete the second data by the file system. characterized in that

The image forming apparatus divides one nonvolatile memory into a plurality of areas by a file system, stores the first data and the second data in separate areas, and erases the data by a different erasing method for each area. This makes it possible to erase data stored in another area while leaving data stored in one area. Since the first data stored in the first area is completely erased, the safety of the first data is ensured. When erasing the second data stored in the second area, the second data may remain in the second area because the second data is deleted on the file system. However, since the second data itself is encrypted and the key information is accessible using a specific module with security, it is extremely difficult to decrypt and obtain the second data. It is difficult to do so, and security is ensured equivalent to erasing the second data itself.

A control method, a computer program, and a computer-readable storage medium storing the computer program for implementing the functions of the above apparatus are also novel and useful.

According to the technique disclosed in the present specification, a technique is realized that can safely erase data stored in a nonvolatile memory in an image forming apparatus in which a file system is constructed.

1 is a block diagram showing the configuration of an MFP according to one embodiment of the present invention; FIG. It is a figure explaining a file system. 4A and 4B are diagrams showing examples of a normal screen and a custom screen; FIG. It is a figure which shows the example of a display of a screen. 4 is a flow chart showing an example of a control procedure for data write processing; 8 is a flowchart illustrating an example of a control procedure for authentication processing; It is a figure which shows the example of a display of a screen. 7 is a flowchart illustrating an example of a control procedure for data reading processing; 7 is a flowchart illustrating an example of a control procedure for display processing; 6 is a flowchart showing an example of a control procedure for data erasure processing; FIG. 4 is a conceptual diagram showing an example of erasing user data; FIG. 4 is a conceptual diagram showing an example of erasing system data;

A device according to the present embodiment will be described in detail below with reference to the accompanying drawings. This embodiment discloses an image forming apparatus that manages data using a file system.

FIG. 1 is a block diagram showing the configuration of an MFP 1 according to one embodiment of the invention. An MFP (abbreviation for Multifunction Printer) 1 is a device having a print function, a copy function, a FAX function, and a scanner function. The MFP 1 is an example of an "image forming apparatus". The MFP 1 includes an operation display unit 11, a printing unit 12, a reading unit 13, a FAX modem 14, a communication interface (hereinafter referred to as "communication IF") 15, an ASIC (abbreviation for application specific integrated circuit) 16, and a memory 20 , which are connected via a bus 19 .

The operation display unit 11 includes hardware for receiving an operation by a user and hardware for displaying a screen for informing the user of information. The operation display unit 11 may be, for example, a combination of a keyboard, a mouse, etc., and a display capable of displaying information, or may be a touch panel having a display function and an input reception function. The operation display unit 11 is an example of a "user interface". The printing unit 12 prints an image on a print medium. The printing method of the printing unit 12 may be an electrophotographic method or an inkjet method. Images may be in color or monochrome. The printing unit 12 is an example of an "image forming unit".

The reading unit 13 reads an image of a document and generates image data. A FAX modem 14 transmits and receives FAX data to and from an external device via a telephone line. The communication IF 15 can be used by a communication terminal 2 used by a user (hereinafter referred to as "user terminal") or a person with special access authority such as a system vendor service person who provides services related to the MFP 1 (hereinafter referred to as "system vendor"). ) for communicating with an external device such as a communication terminal (hereinafter referred to as a “management terminal”) 3 . The communication standard of the communication IF 15 is, for example, Ethernet (registered trademark), Wi-Fi (registered trademark), USB, or the like. The communication IF 15 is an example of a "communication interface".

It should be noted that the system vendors and the like include service personnel of the manufacturer of the MFP1, service personnel of system vendors that sell business equipment systems including the MFP1, service personnel of sales companies that sell the MFP1, MFP1, and business equipment including the MFP1. This also applies to the system administrator of the company that brought in the software. The serviceman corresponds to, for example, a serviceman, a service or system administrator, and the like.

The ASIC 16 has a CPU 31 . The CPU 31 executes various processes according to programs read from the memory. The memory 20 is, for example, an HDD, an E2PROM, or a flash memory, and is used as an area for storing various programs, data such as image data and document data, and various settings.

An example of memory 20 may be a computer-readable storage medium. A computer-readable storage medium is a non-transitory medium. In addition to the above examples, non-transitory media include recording media such as CD-ROMs and DVD-ROMs. A non-transitory medium is also a tangible medium. On the other hand, an electrical signal that carries a program downloaded from a server on the Internet is a computer-readable signal medium, which is a kind of computer-readable medium, but is a non-transitory computer-readable storage. Not included in media.

The memory 20 of this embodiment includes a first nonvolatile memory 21 , a second nonvolatile memory 22 and a volatile memory 24 . The volatile memory 24 is also used as a work area when various processes are executed.

The first nonvolatile memory 21 stores an operating system (hereinafter referred to as “OS”) 41 and various application programs (hereinafter referred to as “apps”) 45 . Application 45 is a program for executing the functions of MFP 1 . The application 45 corresponds to, for example, a program that causes printing based on stored image data to be performed after predetermined authentication. For example, the application 45 includes various screens such as screens described with reference to FIGS. A program for displaying a screen on the operation display unit 11 (hereinafter referred to as a “display application”), a program for setting the operation screen, and a program for performing various processes for operations based on the display screen are applicable. A file system is built in MFP 1, and application 45 accesses data by designating the file name of the data to be used. The application 45 is an example of an "application program."

Further, for example, a key management application 46 is stored in the first nonvolatile memory 21 . The key management application 46 is secured and has access to key information. Security is provided so that only the key management application 46 can access the key information. Therefore, the key information cannot be accessed from the application 45 or the like. The key information is information based on an encryption key used for encrypting data stored in the second nonvolatile memory 22 as described later. The key management application 46 is a program that encrypts or decrypts data using an encryption key based on key information.

The key information may be composed of multiple types of key information provided for each data to be encrypted or for each type of data, or may be composed of one type of key information. The key information may be the encryption key itself, or information for generating the encryption key (for example, part of the encryption key). If the key information is part of a cryptographic key, the rest of the cryptographic key may be stored in a separate non-volatile storage area different from the corresponding part of the cryptographic key. The key information may be a decryption key created as a key for decrypting data encrypted with an encryption key.

FIG. 2 is a diagram for explaining the file system. The key management application 46 is encrypted so that it can only be used by the MFP 1 that has been activated, so security is provided. The MFP 1 may include a TPM (abbreviation for trusted platform module) as a module that replaces the key management application 46 . The TPM is secure coated. A key management application 46 or TPM is an example of a "specific module."

Note that the first nonvolatile memory 21 simply indicates a storage area for storing the OS 41, the application 45, and the key management application 46, and the OS 41, the application 45, and the key management application 46 are physically stored. may be stored in another non-volatile memory. The OS 41 may be stored in a ROM (not shown). The key management application 46 may be stored in a nonvolatile storage area different from the A drive 73 and the B drive 75 of the second nonvolatile memory 22 .

The second non-volatile memory 22 is a memory in which data or programs can be read and written. The second non-volatile memory 22 stores data used by the application 45 and the like via the file system. The second nonvolatile memory 22 is an example of "nonvolatile memory".

The file system manager 91 divides the second nonvolatile memory 22 into a plurality of areas. The file system management unit 91 reads and writes data in each area according to instructions from the application 45 or the like. The file system management section 91 includes an instruction section and a management section.

The instruction unit performs processing for writing, reading, and erasing data in the second nonvolatile memory 22 (for example, FIG. 5 (A) (B), FIG. 6, FIG. 8, and FIG. 10 (A ) and the processing shown in (B)). The instruction unit receives various instructions that serve as triggers for starting processes shown in FIGS. The instruction unit receives a file designation from the application 45 or the like based on the file name. The instruction unit passes a write instruction to write data to the second nonvolatile memory 22 and a read instruction to read data from the second nonvolatile memory 22 to the management unit in accordance with instructions from the application 45 or the like. The instruction section designates a partition and a file by a "partition name" and a "file name" when passing a write instruction or a read instruction to the management section. The instruction unit can also be regarded as middleware that takes charge between the application 45 and the like and the management unit. The instruction unit may be one of the apps.

The management unit is composed of a program for managing partition information and file information. The partition information is information about the area, and includes, for example, the name (partition name) and address of the area. File information is information about data stored in the area, and includes, for example, file names and addresses. In other words, the management unit manages relationship information indicating the relationship between the partition name, file name, and memory address of the second nonvolatile memory 22 . The management unit receives an instruction designating an area or a file with a "partition name" or a "file name" from the instruction unit. The management unit writes, reads, and erases data in the second nonvolatile memory 22 according to the instructions received from the instruction unit. The management unit may be included as part of the OS. Of the partition information and file information, addresses are black-boxed with respect to the application 45 .

In the following description, various processes performed by the instruction section and the management section will be described as processing performed by the file system management section 91. FIG. Also, the file system management unit 91 may be composed of one program.

In this embodiment, the file system management unit 91 divides the second nonvolatile memory 22 into a first area (hereinafter referred to as "A drive") 73 and a second area (hereinafter referred to as "B drive") 75. , A drive 73 and B drive 75 are managed. The A drive 73 stores unencrypted user data that can be erased by a general user's operation. In addition, the B drive 75 stores encrypted system data that cannot be erased by a general user's operation. The file system management unit 91 manages file information of user data and system data. The A drive 73 is an example of the "first area", and the user data is an example of the "first data". The B drive 75 is an example of the "second area", and the system data is an example of the "second data".

User data corresponds to address book information (name, name, group name, telephone number, FAX number, etc.) registered in the address book. The address book information is stored in the A drive 73 as a second user data file 84b, for example. User data is not limited to address book information, and may be FAX data received via FAX modem 14 or the like.

The system data corresponds to, for example, custom data for displaying a custom screen D22 in which the display of the background and icons is customized, as shown in FIG. 3B. In the custom screen D22, for example, the background B22 is changed from the background B21 of the normal screen D21 shown in FIG. 3(A). For example, the custom data is encrypted and written to the B drive 75 as the first system data file 86a. Note that system data is not limited to custom data. For example, system data may be a custom program to access custom data. The custom program is stored in the B drive 75 as a second system data file 86b. A custom program includes a custom data flag that indicates whether custom data is valid or invalid.

Next, the operation of MFP 1 will be described with reference to the drawings. In the following description, the processing by the CPU 31 for determining whether or not the information A indicates that the matter B is conceptually represented as "determining whether or not the information A is the matter B". may be described. The processing by the CPU 31 to determine whether information A indicates matter B or matter C is defined as "determining whether information A is matter B or matter C". It may be described conceptually as Also, the processing of the CPU 31 described below may be performed by the ASIC 16 . Also, the subject that executes the process may be the application or the file system management unit 91 . In this case, the CPU 31 or the ASIC 16 substantially performs the processing performed by the application and the file system management unit 91 .

First, a control procedure for writing user data to the A drive 73 will be described. For example, when the address book button A11 is operated via the operation display unit 11 on the various setting screen D11 of FIG. 4A, the MFP 1 activates an address book application that manages address information. The address book application instructs the file system management unit 91 to write the address book information to the second non-volatile memory 22 upon receiving the input operation of the address book information.

The file system management unit 91 that has received the instruction judges that it has received the first data write instruction, and executes the first data write process shown in FIG. 5(A). That is, the file system management unit 91 writes the address book information as the second user data file 84b to the A drive 73 of the second nonvolatile memory 22 without encrypting it (S1), and ends the process. At this time, the file system management section 91 stores the file information of the second user data file 84b in a predetermined area. As a result, the second user data file 84b becomes a management target of the file system, and the application 45 or the like can access the second user data file 84b via the file system.

In this embodiment, the first data write instruction is open to the public. Therefore, a general user, a system vendor, or the like can input the first data write instruction to MFP 1 and write user data into second nonvolatile memory 22 . The method of inputting the first erase instruction, which will be described later, is also open to the public, as is the case with the first data write instruction. The operation of inputting the first data write instruction and the first erase instruction through the operation display section 11 is an example of the "first user operation".

Next, a procedure for writing system data to the B drive 75 will be described. In this embodiment, the method of inputting the second data write instruction is not disclosed to the general public, but is disclosed only to system vendors and the like. Therefore, only a system vendor or the like can write system data to the second nonvolatile memory 22 . Therefore, the second data write instruction is input to MFP 1 by a method different from that of the first data write instruction. It should be noted that the method of inputting the second erasure instruction, which will be described later, is not open to the general public, but is open to the public only to system vendors and the like, as with the second data write instruction.

For example, the management terminal 3 incorporates a PC application that is not open to the public and is open only to system vendors and the like. A PC application is, for example, a program that creates system data. A command for the PC application to send system data to the MFP 1 has not been disclosed. Therefore, only the system vendor or the like can write system data to the MFP 1 .

For example, the management terminal 3 generates custom data for the custom screen D22 using a PC application installed in its own terminal, and upon receiving an instruction to input the custom data to the MFP 1, writes the custom data to the second nonvolatile memory 22. A command instructing to do so is transmitted to the MFP1. The management terminal 3 is an example of an "external device". Receiving commands is an example of a "specific input method."

When MFP 1 receives the command via communication IF 15, MFP 1 determines that the second data write instruction has been received, and executes the second data write process shown in FIG. 5B.

The file system management unit 91 requests the key management application 46 to encrypt the custom data (S12). The key management application 46 accesses key information corresponding to custom data, and encrypts the custom data input from the management terminal 3 to the PC 1 using an encryption key based on the key information. If the key information is the encryption key itself, the key management application 46 uses the key information as the encryption key. If the key information is a part of the encryption key, the key management application 46 acquires the remainder of the encryption key based on the part of the encryption key and reproduces the encryption key. The key information is data for creating an encryption key, and the key management application 46 may create an encryption key based on this data.

The file system management unit 91 writes the custom data encrypted by the key management application 46 to the B drive 75 as the first system data file 86a (S13). In response to this, the file system management unit 91 writes the file information of the first system data file 86a to a predetermined area. As a result, the first system data file 86a becomes a management target of the file system. The processing of S12 and S13 is an example of "data write processing". Further, the file system management unit 91 updates the custom data flag of the custom program by switching it from invalid to valid. The custom data flag may be arbitrarily switched between valid and invalid after writing the custom data by an operation that is open only to the system vendor or the like. Note that the custom data flag may be stored in the B drive 75 as system data. After that, the file system management unit 91 terminates the processing.

The command for writing system data to the B drive 75 may be, for example, a PJL command. When the MFP 1 receives a PJL command, or when the PJL command is stored in an attached external memory (for example, a USB memory), it analyzes the PJL command and writes the system data to the B drive 75. For example, the second data write process shown in FIG. 5B is executed to write the system data to the B drive 75 .

The MFP 1 does not write system data to the B drive 75 by receiving a command from the management terminal 3, but accepts a second data write instruction input by the system vendor or the like via the operation display unit 11, and writes the system data to the B drive 75. system data may be written to

For example, a system vendor or the like attaches to the MFP 1 a USB memory storing created custom data. Then, the system vendor or the like operates the system management button A14 displayed on the various setting screen D11 shown in FIG. 4(A). Then, the CPU 31 accepts the authentication instruction and executes the authentication process shown in FIG. The operation of the system management button A14 is an example of "specific user operation".

The CPU 31 causes the operation display section 11 to display the authentication information input screen D3 shown in FIG. 7A (S20), and determines whether or not the authentication information has been accepted (S21). When the system vendor or the like enters the authentication information in the input field SA of the authentication information input screen D3 and operates the OK button A3, the CPU 31 determines that the authentication information has been accepted (S21: YES), and based on the entered authentication information. User authentication is performed to determine whether or not the user has a specific access right (S22). The processing of S21 and S22 is an example of "authentication processing".

When the authentication is successful (S23: YES), the CPU 31 causes the operation display section 11 to display a system management screen D5 as shown in FIG. 7B (S24). In other words, the system management screen D5 is a screen that can be operated only by a specific user who has been successfully authenticated, and is a screen that cannot be operated by general users. The system management screen D5 includes a data input button A5 for instructing input of system data, a reset button A6 for instructing deletion of system data, and an other button A7 for instructing other processing. The operation of the buttons A5 and A6 is an example of the "second user operation".

The CPU 31 determines whether or not the data input button A5 or the reset button A6 has been operated (S25). When the CPU 31 accepts the operation of the data input button A5 (S25: data input button), the CPU 31 passes the second data write instruction to the file system management section 91 (S29), and terminates the process. Upon receiving the second data write instruction, the file system management unit 91 executes the above-described second data write process shown in FIG. 5B. As a result, the custom data stored in the USB memory attached to MFP 1 is encrypted using key management application 46 after input to PC 1 , and written to B drive 75 by file management system 91 .

Next, a control procedure for reading system data from the B drive 75 will be described. For example, when the file system management unit 91 receives a read instruction designating the file name of the first system data file 86a from the application 45 or the like, the file system management unit 91 executes the data read processing shown in FIG.

The file system management unit 91 acquires the first system data file 86a from the B drive 75 of the second nonvolatile memory 22 based on the file name specified by the read instruction (S51).

Then, the file system management unit 91 requests the key management application 46 to decrypt the first system data file 86a acquired in S51 (S53). The process of S53 is an example of "a process of decoding the second data".

For example, the key management application 46 accesses key information corresponding to the first system data file 86a. If the key information of the access destination is the encryption key itself, the key management application 46 uses the key information as the encryption key to decrypt the first system data file. Further, for example, when the key information of the access destination is a part of the encryption key, the key management application 46 accesses the remainder of the encryption key, reproduces the encryption key itself, and uses the reproduced encryption key to perform the first encryption. Decrypt the system data file 86a. If the key information of the access destination is a decryption key corresponding to the encryption key used to encrypt the first system data file 86a, the key management application 46 decrypts the first system data file 86a using the key information. become

The file system management unit 91 passes the first system data file 86a decrypted by the key management application 46 to the application 45 and the like (S54), and ends the process.

Security is applied to the key management application 46, and only the key management application 46 can access the key information. Therefore, key information is less likely to leak, and system data can be used safely. In addition, since the key management application 46 collectively manages the decryption of system data, the application 45 and the like can easily read the system data compared to the case of decrypting the data by themselves.

This data reading process is executed, for example, when screen display is performed on the operation display unit 11 using a display application. For example, when the OS 41 is activated, the MFP 1 causes the CPU 31 to read the display application from the first non-volatile memory 21 and execute the display processing shown in FIG.

The display application determines whether the custom data flag is valid, for example, via the file system (S61). Specifically, the display application passes to the file system management unit 91 a read instruction designating the file name of the second system data file 86b. The file system management unit 91 executes the data reading process described above, and passes the second system data file 86b decrypted by the key management application 46 to the display application. The display application determines whether the custom data flag of the custom program is valid based on the decrypted second system data file 86b (S61). If the custom data flag is invalid (S61: NO), the display application displays the normal screen D21 shown in FIG. 3A (S65), and ends the process.

On the other hand, if the custom data flag is valid (S61: YES), the display application determines whether custom data has been detected (S62). Specifically, the display application has regularized file names as custom data files in advance. The display application instructs the file system management unit 91 to search for a file name according to the rule. For example, the display application passes the file name of the first system data file 86a to the file system management unit 91, and when the file system management unit 91 does not detect the file (S62: NO), the normal screen D21 is displayed. (S65), the process ends.

On the other hand, when the file system management unit 91 detects the file name of the first system data file 86a (S62: YES), the display application acquires the custom data via the file system management unit 91 (S63). . That is, the file system management unit 91 executes the data reading process described above, and passes the first system data file 86a decrypted by the key management application 46 to the display application. The display application uses the custom data stored in the decrypted first system data file 86a to display, for example, the custom screen D22 shown in FIG. 3B (S64), and ends the process.

Next, a control procedure for erasing user data from the second nonvolatile memory 22 by the MFP 1 will be described. Since the user data is input by the user's operation after shipment from the factory, it is preferable that the user can arbitrarily delete the data. The MFP 1 can delete user data on the file system by deleting file information managed by the file system management unit 91, for example. However, with this method, the first user data file 84 a and the second user data file 84 b remain in the A drive 73 . Therefore, when the second non-volatile memory 22 is discarded or recycled, the unencrypted first user data file 84a and the second user data file 84b can be used as a file restoration tool (also called salvage tool or recovery tool). can be read and leaked using Therefore, in this embodiment, the user data stored in the A drive 73 is completely erased.

For example, when the reset button A13 is operated on the various setting screen D11 shown in FIG. 4A, the MFP 1 displays the reset screen D1 shown in FIG. The reset screen D1 is a screen that can be displayed without authentication, and is a screen that can be operated by both general users and specific users such as system vendors.

When the all data button A1 on the reset screen D1 is operated via the operation display unit 11, the file system management unit 91 determines that the first erase instruction has been received, and performs the first data erase process shown in FIG. 10(A). to run. The partition name of the A drive 73 is specified in the first erase instruction. The first erase instruction is an example of "an erase instruction for the first area".

Note that the display of the button A1 may be "factory reset". When the button A1 for displaying factory reset is operated, data that needs to be reset to the factory shipping state may be reset to the factory shipping state in addition to the complete erasure of the A drive 73, which will be described later. An all data button for instructing erasure of all user data and a factory reset button for instructing data to be reset to the factory shipping state may be separately provided.

In the first data erasing process shown in FIG. 10(A), the file system management unit 91 executes the processing in the second non-volatile memory 22 in order. is stopped (S41). This eliminates unnecessary input of instructions to the file system management unit 91 from the application 45 or the like while the file system management unit 91 is processing the second nonvolatile memory 22 in order.

The file system management unit 91 sequentially performs processing on the second nonvolatile memory 22, thereby completely erasing the A drive 73 from the second nonvolatile memory 22 as shown in FIG. 11A (S42 ). The process of S42 is an example of the "complete erasure process". Also, the file system management unit 91 deletes the file information of the first user data file 84a and the second user data file 84b from the predetermined area. Furthermore, the file system management unit 91 deletes the partition information of the A drive 73 stored in the predetermined area. As a result, the A drive 73 cannot be used as a file system. In other words, the application 45 or the like cannot use user data via the file system management unit 91 .

Here, in this specification, "deletion", "erasure", and "complete erasure" are used with the following meanings. "Delete" means to make a file no longer exist on the file system. In other words, it means that the application 45 or the like is prevented from reading and writing data in the second nonvolatile memory 22 using the file name. For example, with respect to the first user data file 84a stored in the A drive 73, the file system management unit 91 requests the file of the first user data file 84a while the first user data file 84a is stored in the A drive 73. Deleting information corresponds to "deletion". In this case, the application 45 or the like cannot access the first user data file 84a via the file system management unit 91, but the first user data file 84a remains in the A drive 73.

“Erase” means to prevent the data itself to be erased from being read from the second nonvolatile memory 22 . For example, writing other data such as 0xff to the area where the first user data file 84a occupies the A drive 73 and the area where the file information of the first user data file 84a is stored constitutes "erase". Applicable. In this case, the first user data file 84 a remains neither in the file system nor in the A drive 73 . Since the second user data file 84b remains both on the file system and in the A drive 73, the application 45 and the like can access the second user data file 84b.

"Complete erasure" erases an area in which data to be erased is stored so that all data stored in the area, including the data to be erased, cannot be read from the second nonvolatile memory 22. means to For example, the entire area of the A drive 73, the entire area storing the partition information of the A drive 73, and the entire area storing the file information of the first user data file 84a and the second user data file 84b, Writing other data such as 0xff corresponds to "complete erasure". In this case, all the data stored in the A drive 73 will not remain in the file system nor in the second non-volatile memory 22, and the application 45, etc. also become inaccessible.

After completely erasing the A drive 73 as shown in FIG. 10A, the file system management unit 91 initializes or formats the second nonvolatile memory as shown in FIG. 11B. 22 to reconstruct the A drive 73x (S43). For example, the file system management unit 91 grasps the free space of the second non-volatile memory 22 from the partition information managed by the file system management unit 91 . Then, the file system management unit 91 checks the status of the free area and reserves an area with no abnormality as an area for reconstruction. Then, the file system management unit 91 stores the partition information indicating the reconstruction area in a predetermined area. Therefore, the A drive 73 x can be rebuilt in a different location from the A drive 73 before complete erasure, depending on the state of the second nonvolatile memory 22 . The file system management unit 91 that has reconstructed the A drive 73x reboots as shown in FIG. 10A (S44), and terminates the process.

In this way, the process of completely erasing the A drive 73 and the process of maintaining the A drive 73 by rebuilding are collectively performed. The safety of all stored user data can be guaranteed.

When the MFP 1 is discarded or recycled, for example, by inputting the first erasure instruction without user authentication, the MFP 1 can completely erase all the user data and prevent the leakage of the user data. Also, since the system data remains on the B drive 75, certain functions are maintained.

For example, when the address book button A2 is operated on the reset screen D1 of FIG. 4B, the file system management unit 91 accepts a delete instruction designating the file name of the second user data file 84b. In this case, the file system management unit 91 deletes the file information of the second user data file 84b from a predetermined area, so that the second user data file 84b is individually deleted on the file system, and the application 45 and the like are addressed. Cannot read book information.

Next, a control procedure for erasing system data from the second nonvolatile memory 22 by the MFP 1 will be described. For example, the system vendor or the like operates the system management button A14 on the various setting screen D11 of FIG. 4(A). Then, the CPU 31 executes the authentication process shown in FIG. After successful authentication based on the authentication information, the CPU 31 accepts the operation of the reset button A6 displayed on the system management screen D5 in FIG. 7B via the operation display unit 11 (S25: reset button), (S26). For example, the CPU 31 acquires the file names of the files stored in the B drive 75 from the file system management section 91 and displays them as a list. The CPU 31 waits until the file name is designated (S26: NO).

When, for example, the file name of the first system data file 86a is specified from among the file names displayed as a list (S26: YES), the CPU 31 stores the specified file name of the first system data file 86a in the file system management. It is passed to the section 91 (S27). Then, the CPU 31 passes the second erasure instruction to the file system management section 91 (S28), and terminates the process. The second erase instruction is an example of "an instruction to erase the second data stored in the second area". Therefore, the second erase instruction is input to MFP 1 by a method different from the first erase process. When the other button A7 on the system management screen D5 is operated (S25: NO), the CPU 31 performs other processing (S30) and terminates the processing.

The deletion of the system data by the system vendor or the like may be performed not only by operating the operation display unit 11 but also by using a PC application for deletion or a PJL command for deletion. That is, the PC application for deletion and the PJL command for deletion are open to the public only to system vendors and the like, and when the MFP 1 receives a command from the PC application for deletion or receives a PJL command for deletion, , it may be determined that the second erasure instruction has been accepted, and the second data erasure processing may be executed.

As shown in FIG. 10B, when the file system management unit 91 receives a second erasure instruction designating the first system data file 86a, the file system management unit 91 deletes the file information of the first system data file 86a from a predetermined area. Thus, the first system data file 86a is deleted (S32). The process of S32 is an example of the "second erasing process".

In this state, the first system data file 86a remains in the B drive 75. FIG. If the first system data file 86a is leaked, even though it is encrypted, it may be decrypted by some means, such as being decrypted by a future ultra-high-performance computer.

Therefore, as shown in FIG. 10B, the file system management unit 91 writes dummy data to the B drive 75 (S33). As a result, the first system data file 86a is overwritten with the dummy data X and fragmented. The process of S33 is an example of "dummy write process".

Specifically, since the partition information of the B drive 75 and the file information of the second system data file 86b remain in a predetermined area, the file system management unit 91 restores the second system data file 86b as shown in FIG. , the dummy data X is written to the B drive 75. At this time, the file system management section 91 can overwrite the first system data file 86a with the dummy data X since the file information of the first system data file 86a has been deleted from the predetermined area. This causes the first system data file 86a to become fragmented and difficult to fully reproduce. The file system management unit 91 writes the file information of dummy data X in a predetermined area. The file system management unit 91 writes dummy data X to the B drive 75 until the B drive 75 becomes full.

As shown in FIG. 10B, the file system management unit 91 deletes the dummy data X from the file system by deleting the file information of the dummy data X written in the B drive 75 from a predetermined area. (S34), the process ends. The processing of S34 is an example of "dummy deletion processing". As a result, the second non-volatile memory 22 can overwrite the dummy data X written in the B drive 75 with other data, making it easier to use the B drive 75 .

In the process of S33, one dummy data X is written to the B drive 75 until the memory becomes full, but dummy data of a certain size may be written to the B drive 75 until the memory becomes full. In this case, in the process of S34, the file information of the dummy data written to the B drive 75 is deleted from the predetermined area.

As described above, the MFP 1 of this embodiment divides the second nonvolatile memory 22 into the A drive 73 and the B drive 75 according to the file system, and stores user data and system data separately in the A drive 73 and the B drive 75. Then, the user data and system data are erased by different erasing methods for the A drive 73 and the B drive 75 . As a result, for example, user data stored in the A drive 73 can be erased while system data stored in the B drive 75 remains. Since the user data stored in the A drive 73 is completely erased, the safety of the user data is ensured.

When erasing the first system data file 86a stored in the B drive 75, the first system data file 86a may remain in the B drive 75 because the first system data file 86a is deleted on the file system. However, the first system data file 86a itself is encrypted, and only the key management application 46 can access the key information. That is, even if the first system data file 86a is leaked, it is unlikely that the first system data file 86a will be decrypted. That is, the MFP 1 guarantees the safety of the first system data file 86a in the same way as when the first system data file 86a itself is deleted. Thus, according to the MFP 1 of this embodiment, it is possible to safely erase the data stored in the second nonvolatile memory 22 .

Moreover, user data is often data that is accessed more frequently than system data, and data that poses less danger even if leaked. Therefore, the user data is written to the A drive 73 without being encrypted, so that the application 45 or the like can read and write the user data to the second nonvolatile memory 22 at high speed via the file system. On the other hand, since the system data is encrypted and written to the B drive 75, it takes more time to read and write to the second nonvolatile memory 22 than unencrypted user data.

However, in the present embodiment, for example, when a second deletion instruction to delete the first system data file 86a is received, the file information of the first system data file 86a is deleted on the file system so that the first system data file 86a is deleted from the application 45 or the like so that it cannot be used. Since only the key management application 46 can access the key information, it is unlikely that the first system data file 86a will be decrypted. For example, after the second system data file 86b, which is not to be erased, is saved from the B drive 75, the B drive 75 is completely erased, and then the second system data file 86a is deleted. By returning the file 86b to the B drive 75, the processing time for individually erasing the first system data file 86a can be shortened compared to the case of erasing the first system data file 86a itself. In addition, the MFP 1 can reduce the frequency of reading and writing system data in the second nonvolatile memory 22 and reduce deterioration of the second nonvolatile memory 22 .

It should be noted that the present embodiment is merely an example, and does not limit the present invention in any way. Therefore, the present invention can naturally be improved and modified in various ways without departing from the scope of the invention. For example, MFP 1 may be a printer having only a printing function.

The processing of S33 and S34 in FIG. 10B may be omitted. However, after deleting the system data to be erased on the file system, by writing dummy data X to the B drive 75 until the memory becomes full, fragmentation of the system data progresses, and the system data is deleted. It can be difficult to reproduce perfectly. Further, by deleting the dummy data from the file system, free memory on the file system of the B drive 75 is secured, and the B drive 75 can be used easily thereafter.

The B drive 75 may also store unencrypted data. However, by storing only encrypted data in the B drive 75, the safety of other data stored in the B drive 75 can be ensured simply by deleting the file information of the data to be erased.

The processing of S20 to S23 in FIG. 6 may be omitted, and the second data write instruction or second erase instruction may be accepted even if the authentication is not successful, like the first data write instruction or first erase instruction. However, by accepting the second data write instruction and the second erase instruction through the input operation after successful authentication, the general user can write data to the B drive, or the system data written to the MFP 1 by the system vendor, etc. can be transferred to the general user. can be avoided.

The process of S43 in FIG. 10A may be omitted. However, after completely erasing the A drive 73 and erasing the user data, the A drive 73x can be easily used by reconstructing or initializing the A drive 73x.

If the reset screen D1 has an all data button A1 or a factory reset button, the B drive 75 may also be completely erased when the factory reset button is operated. Alternatively, the processing shown in FIG. 10B may be performed for all the system data stored in the B drive 75 . Also, when the All Data button A1 is operated, only the A drive 73 is completely erased, and when the factory reset button is operated, both the A drive 73 and B drive 75 are completely erased. good too.

In the specification that the system data stored in the B drive 75 can be erased only when the second erase instruction is accepted, if the factory reset button to return the data to the factory shipment state is operated, there is data that cannot be erased, and the system vendor It is also possible to notify the user that it is necessary to have the user delete the data. Then, the MFP 1 inquires of the user who has confirmed the notification whether or not to continue the data erasure. 73 may be erased and the first data erasing process may not be performed if the instruction to continue is not accepted. According to this, the user who confirms the notification can avoid discarding or recycling the MFP 1 with data left in the B drive 75 by erroneously recognizing that the MFP 1 has returned to the factory shipment state.

Custom data may be written to the A drive 73 as user data. In this case, the custom data is data indicating the arrangement of custom material data. The custom material data is, for example, image data of backgrounds and icons used for the custom screen D22, and is stored in the B drive 75 as system data. MFP 1 may read custom material data from B drive 75, accept selection of custom material data via operation display unit 11, and create custom data. In this case, custom data is written to the A drive 73 as user data. The MFP 1 may read the custom data and the custom material data from the A drive 73 and the B drive 75, respectively, and display on the operation display unit 11 a screen on which the image data indicated by the custom material data is arranged according to the custom data.

If user data is encrypted, it may be stored in the B drive 75 . In this case, the encrypted user data is an example of "second data".

In any flow chart disclosed in the embodiments, multiple processes in any multiple steps can be arbitrarily changed in execution order or executed in parallel as long as there is no contradiction in the processing contents.

The processing disclosed in the embodiments may be performed by a single CPU, multiple CPUs, hardware such as an ASIC, or a combination thereof. Further, the processes disclosed in the embodiments can be realized in various forms such as a recording medium recording a program for executing the processes, a method, and the like.

1 MFP
13 Printing unit 22 Second nonvolatile memory 45 Application 46 Key management application 73 A drive 75 B drive

Claims (12)

non-volatile memory;
an image forming unit;
An image forming apparatus comprising
The image forming apparatus is
An application program installed in the image forming apparatus having a file system used for accessing the nonvolatile memory can read and write data to and from the nonvolatile memory via the file system. The program includes an application program for processing a job for operating the image forming unit using data stored in the nonvolatile memory,
The nonvolatile memory is provided with a plurality of areas partitioned by the file system, and the plurality of areas includes a first area capable of storing first data and a second data. a storable second area; and
Further, the image forming apparatus
A specific module with security is provided, the specific module is capable of accessing key information and encrypting data,
Further, the image forming apparatus
When an instruction to write the second data in the second area is received, the second data is encrypted using the specific module, and the encrypted second data is transferred to the second area. Execute data write processing to write to
Further, the image forming apparatus
When an instruction to erase the first area is accepted, the storage area of the first area in the nonvolatile memory is completely erased to make all the first data stored in the first area unusable. perform a first erasure process to
When an instruction to erase the second data stored in the second area is received, executing a second erasing process of deleting the second data by the file system;
An image forming apparatus characterized by: In the image forming apparatus according to claim 1,
The image forming apparatus is
When an instruction to erase the second data stored in the second area is received, after the second erasing process is executed, dummy data is stored in the second area by the file system until the memory becomes full. perform a dummy write operation that writes to
An image forming apparatus characterized by: In the image forming apparatus according to claim 2,
The image forming apparatus is
When an instruction to erase the second data stored in the second area is received, after the second erasing process and the dummy write process are executed, the second data is stored in the second area by the dummy write process. Execute a dummy deletion process for deleting the written dummy data by the file system;
An image forming apparatus characterized by: In the image forming apparatus according to any one of claims 1 to 3,
the second area stores the encrypted second data and does not store unencrypted data;
An image forming apparatus characterized by: In the image forming apparatus according to any one of claims 1 to 3,
the specific module is capable of decrypting data by accessing the key information;
The image forming apparatus is
When receiving an instruction to read the second data from the second area, executing a process of decoding the second data using the specific module;
An image forming apparatus characterized by: In the image forming apparatus according to any one of claims 1 to 5,
with a user interface,
The image forming apparatus is
executing the first erasing process when the erasing instruction for the first area is received by a first user operation via the user interface;
When the erase instruction for the second data is received by a specific input method different from the first user operation, the second erase process is executed.
An image forming apparatus characterized by: In the image forming apparatus according to claim 6,
Equipped with a communication interface,
The image forming apparatus is
executing the first erasing process when the erasing instruction for the first area is accepted by the first user operation via the user interface;
executing the second erasing process when the erasing instruction for the second data is accepted by receiving a command from an external device via the communication interface as the specific input method;
An image forming apparatus characterized by: In the image forming apparatus according to claim 6,
The image forming apparatus is
When an authentication instruction is received by a specific user operation via the user interface, performing an authentication process of requesting input of authentication information and performing user authentication based on the input authentication information,
executing the first erasing process when the erasing instruction for the first area is accepted by the first user operation via the user interface;
If the erasure instruction for the second data is received by accepting a second user operation different from the first user operation via the user interface as the specific input method, the second erasure process is performed. The second user operation is an operation that can be input after the authentication process has succeeded, and the first user operation can be input even if the authentication process has not succeeded. is an operation,
An image forming apparatus characterized by: In the image forming apparatus according to any one of claims 1 to 5,
a user interface;
with
The image forming apparatus is
storing the first data input by a first user operation through the user interface in the first area;
storing the second data input by a specific input method different from the first user operation in the second area;
An image forming apparatus characterized by: In the image forming apparatus according to claim 9,
Equipped with a communication interface,
The image forming apparatus is
storing the first data input by the first user operation through the user interface in the first area;
storing the second data input by receiving from an external device via the communication interface as the specific input method in the second area;
An image forming apparatus characterized by: In the image forming apparatus according to claim 9,
The image forming apparatus is
When an authentication instruction is received by a specific user operation via the user interface, performing an authentication process of requesting input of authentication information and performing user authentication based on the input authentication information,
storing the first data input by the first user operation through the user interface in the first area;
storing in the second area the second data input by a second user operation different from the first user operation via the user interface as the specific input method; The operation is an operation that can be input after successful authentication by the authentication process, and the first user operation is an operation that can be input even if the authentication by the authentication process is not successful.
An image forming apparatus characterized by: In the image forming apparatus according to any one of claims 1 to 11,
The image forming apparatus is
When an instruction to erase the first area is received, after executing the first erasing process, reconstructing the first area;
An image forming apparatus characterized by:

Images