JP2022157950A - Image forming apparatus - Google Patents

Abstract

To securely delete data stored in non-volatile memories.SOLUTION: A MFP 1 comprising a second non-volatile memory 22 and a print unit 12 divides the second non-volatile memory 22 into an A drive 73 and a B drive 75 by partitions using a file system, stores unencrypted user data into the A drive 73 and stores encrypted system data into the B drive 75. Key information 51 corresponding to the encrypted system data is stored in a third non-volatile memory 23 separate from the second non-volatile memory 22. The MFP 1 completely deletes the A drive 73 if an instruction to delete the user data is received, and deletes first key information 51a corresponding to a first system data file 86a from the third non-volatile memory 23 if an instruction to delete the first system data file 86a is received.SELECTED DRAWING: Figure 2

Description

The present invention relates to an image forming apparatus having nonvolatile memory. More particularly, it relates to techniques for erasing data stored in non-volatile memory.

2. Description of the Related Art Conventionally, in an image forming apparatus having a nonvolatile memory, a technique for erasing data stored in the nonvolatile memory is known. For example, Patent Document 1 discloses a method of initializing a nonvolatile memory included in an image forming apparatus.

JP 2017-027244 A

2. Description of the Related Art In recent years, there are image forming apparatuses in which a file system is built in order to facilitate reading and writing data to and from a nonvolatile memory. By using the file system, the application program installed in the image forming apparatus can read and write data to the non-volatile memory without specifying the physical address where the data is stored in the non-volatile memory. can be done.

When data is deleted in this file system, the data to be deleted is out of the management of the file system and cannot be read out via the file system, but the data may remain in the non-volatile memory. Therefore, when erasing data stored in a nonvolatile memory, if safety is emphasized, it is desirable to make the data difficult to restore, such as by overwriting the entire storage area of the nonvolatile memory with dummy data. On the other hand, non-volatile memory may contain data that should not be erased. Therefore, as disclosed in Patent Document 1, a method of temporarily saving such data to another memory may be employed. A separate memory is required to store the data to be saved.

The present specification discloses a technique capable of safely erasing data stored in a nonvolatile memory in an image forming apparatus in which a file system is built.

An image forming apparatus that aims to solve the above problems is an image forming apparatus that includes a nonvolatile memory and an image forming unit, wherein the image forming apparatus includes a file used to access the nonvolatile memory. An application program that has a system and is installed in the image forming apparatus can read and write data to and from the nonvolatile memory via the file system. an application program for processing a job to operate the image forming unit using the data stored in the image forming unit; the nonvolatile memory is provided with a plurality of partitioned areas by the file system; includes a first area capable of storing first data and a second area capable of storing second data. If an instruction to write the second data is accepted, the second data is encrypted, data write processing is executed to write the encrypted second data in the second area, and the image formation is performed. The device has a specific nonvolatile storage area different from the first area and the second area, and the specific nonvolatile storage area contains key information for the encrypted second data. is stored, and when an instruction to erase the first area is received, a complete erase process is executed for completely erasing the storage area of the first area in the nonvolatile memory, and the data is stored in the second area. and executing a key erasing process for erasing the key information corresponding to the second data from the specific non-volatile storage area when an instruction to erase the second data is received. .

The image forming apparatus having the above configuration divides one nonvolatile memory into a plurality of areas by a file system, stores the first data and the second data in separate areas, and erases the data by a different erasing method for each area. can erase data stored in another area while leaving data stored in one area. Since the first data stored in the first area is completely erased, the safety of the first data is ensured. When erasing the second data stored in the second area, the second data itself is encrypted, and the corresponding key information is erased to decrypt and decipher the second data. This makes it extremely difficult to delete the second data, and the same level of security is ensured as when the second data itself is erased.

A control method, a computer program, and a computer-readable storage medium storing the computer program for realizing the functions of the image forming apparatus are also novel and useful.

According to the technique disclosed in the present specification, a technique is realized that can safely erase data stored in a nonvolatile memory in an image forming apparatus in which a file system is constructed.

1 is a block diagram showing the configuration of an MFP according to one embodiment of the present invention; FIG. It is a figure explaining a file system. 4A and 4B are diagrams showing examples of a normal screen and a custom screen; FIG. It is a figure which shows the example of a display of a screen. 4 is a flow chart showing an example of a control procedure for data write processing; 8 is a flowchart illustrating an example of a control procedure for authentication processing; It is a figure which shows the example of a display of a screen. 7 is a flowchart illustrating an example of a control procedure for data reading processing; 7 is a flowchart illustrating an example of a control procedure for display processing; 6 is a flowchart showing an example of a control procedure for data erasure processing; FIG. 4 is a conceptual diagram showing an example of erasing user data; FIG. 4 is a conceptual diagram showing an example of erasing system data;

A device according to the present embodiment will be described in detail below with reference to the accompanying drawings. This embodiment discloses an image forming apparatus that manages data using a file system.

FIG. 1 is a block diagram showing the configuration of an MFP 1 according to one embodiment of the invention. An MFP (abbreviation for Multifunction Printer) 1 is a device having a print function, a copy function, a FAX function, and a scanner function. The MFP 1 is an example of an "image forming apparatus". The MFP 1 includes an operation display unit 11, a printing unit 12, a reading unit 13, a FAX modem 14, a communication interface (hereinafter referred to as "communication IF") 15, an ASIC (abbreviation for application specific integrated circuit) 16, and a memory 20 , which are connected via a bus 19 .

The operation display unit 11 includes hardware for receiving an operation by a user and hardware for displaying a screen for informing the user of information. The operation display unit 11 may be, for example, a combination of a keyboard, a mouse, etc., and a display capable of displaying information, or may be a touch panel having a display function and an input reception function. The operation display unit 11 is an example of a "user interface". The printing unit 12 prints an image on a print medium. The printing method of the printing unit 12 may be an electrophotographic method or an inkjet method. Images may be in color or monochrome. The printing unit 12 is an example of an "image forming unit".

The reading unit 13 reads an image of a document and generates image data. A FAX modem 14 transmits and receives FAX data to and from an external device via a telephone line. The communication IF 15 can be used by a communication terminal 2 used by a user (hereinafter referred to as "user terminal") or a person with special access authority such as a system vendor service person who provides services related to the MFP 1 (hereinafter referred to as "system vendor"). ) for communicating with an external device such as a communication terminal (hereinafter referred to as a “management terminal”) 3 . The communication standard of the communication IF 15 is, for example, Ethernet (registered trademark), Wi-Fi (registered trademark), USB, or the like. The communication IF 15 is an example of a "communication interface".

It should be noted that the system vendors and the like include service personnel of the manufacturer of the MFP1, service personnel of system vendors that sell business equipment systems including the MFP1, service personnel of sales companies that sell the MFP1, MFP1, and business equipment including the MFP1. This also applies to the system administrator of the company that brought in the software. The serviceman corresponds to, for example, a serviceman, a service or system administrator, and the like.

The ASIC 16 has a CPU 31 . The CPU 31 executes various processes according to programs read from the memory. The memory 20 is, for example, an HDD, an E2PROM, or a flash memory, and is used as an area for storing various programs, data such as image data and document data, and various settings.

An example of memory 20 may be a computer-readable storage medium. A computer-readable storage medium is a non-transitory medium. In addition to the above examples, non-transitory media include recording media such as CD-ROMs and DVD-ROMs. A non-transitory medium is also a tangible medium. On the other hand, an electrical signal that carries a program downloaded from a server on the Internet is a computer-readable signal medium, which is a kind of computer-readable medium, but is a non-transitory computer-readable storage. Not included in media.

The memory 20 of this embodiment includes a first nonvolatile memory 21 , a second nonvolatile memory 22 , a third nonvolatile memory 23 and a volatile memory 24 . The volatile memory 24 is also used as a work area when various processes are executed.

The first nonvolatile memory 21 stores an operating system (hereinafter referred to as “OS”) 41 and various application programs (hereinafter referred to as “apps”) 45 . Application 45 is a program for executing the functions of MFP 1 . The application 45 corresponds to, for example, a program that causes printing based on stored image data to be performed after predetermined authentication. In addition, for example, the application 45 includes various screens such as screens described with reference to FIGS. A program that displays a screen on the operation display unit 11 (hereinafter referred to as a “display application”), a program that creates an operation screen, and a program that performs various processes for operations based on the display screen correspond. A file system is built in MFP 1, and application 45 accesses data by designating the file name of the data to be used. The application 45 is an example of an "application program." The first nonvolatile memory 21 shown in FIG. 1 simply shows a storage area for storing the OS 41 and the application 45, and the application 45 and the OS 41 are stored in physically separate nonvolatile memories. may be The OS 41 may be stored in a ROM (not shown).

Further, for example, as shown in FIG. 1, the first nonvolatile memory 21 stores a key management application 46 . The key management application 46 is a program for generating an encryption key, encrypting data using the generated encryption key, and decrypting encrypted data. The key management application 46 is executed when accessing data stored in the second nonvolatile memory 22 via the file system.

The second non-volatile memory 22 is a memory in which data or programs can be read and written. The second non-volatile memory 22 stores data used by the application 45 and the like via the file system. The second nonvolatile memory 22 is an example of "nonvolatile memory".

FIG. 2 is a diagram for explaining the file system. The file system manager 91 divides the second nonvolatile memory 22 into a plurality of areas. The file system management unit 91 reads and writes data in each area according to instructions from the application 45 or the like. The file system management section 91 includes an instruction section and a management section.

The instruction unit performs processing for writing, reading, and erasing data in the second nonvolatile memory 22 (for example, FIG. 5 (A) (B), FIG. 6, FIG. 8, and FIG. 10 (A ) and the processing shown in (B)). The instruction unit receives various instructions that serve as triggers for starting processes shown in FIGS. The instruction unit receives a file designation from the application 45 or the like based on the file name. The instruction unit passes a write instruction to write data to the second nonvolatile memory 22 and a read instruction to read data from the second nonvolatile memory 22 to the management unit in accordance with instructions from the application 45 or the like. The instruction section designates a partition and a file by a "partition name" and a "file name" when passing a write instruction or a read instruction to the management section. The instruction unit can also be regarded as middleware that takes charge between the application 45 and the like and the management unit. The instruction unit may be one of the apps.

The management unit is composed of a program for managing partition information and file information. The partition information is information about the area, and includes, for example, the name (partition name) and address of the area. File information is information about data stored in the area, and includes, for example, file names and addresses. In other words, the management unit manages relationship information indicating the relationship between the partition name, file name, and memory address of the second nonvolatile memory 22 . The management unit receives an instruction designating an area or a file with a "partition name" or a "file name" from the instruction unit. The management unit writes, reads, and erases data in the second nonvolatile memory 22 according to the instructions received from the instruction unit. The management unit may be included as part of the OS. Of the partition information and file information, addresses are black-boxed with respect to the application 45 .

In the following description, various processes performed by the instruction section and the management section will be described as processing performed by the file system management section 91. FIG. Also, the file system management unit 91 may be composed of one program.

In this embodiment, the file system management unit 91 divides the second nonvolatile memory 22 into a first area (hereinafter referred to as "A drive") 73 and a second area (hereinafter referred to as "B drive") 75. , A drive 73 and B drive 75 are managed. The A drive 73 stores unencrypted user data that can be erased by a general user's operation. In addition, the B drive 75 stores encrypted system data that cannot be erased by a general user's operation. The file system management unit 91 manages file information of user data and system data. The A drive 73 is an example of the "first area", and the user data is an example of the "first data". The B drive 75 is an example of the "second area", and the system data is an example of the "second data".

User data corresponds to address book information (name, name, group name, telephone number, FAX number, etc.) registered in the address book. The address book information is stored in the A drive 73 as a second user data file 84b, for example. User data is not limited to address book information, and may be FAX data received via FAX modem 14 or the like.

The system data corresponds to, for example, custom data for displaying a custom screen D22 in which the display of the background and icons is customized, as shown in FIG. 3B. In the custom screen D22, for example, the background B22 is changed from the background B21 of the normal screen D21 shown in FIG. 3(A). For example, the custom data is encrypted and written to the B drive 75 as the first system data file 86a. Note that system data is not limited to custom data. For example, system data may be a custom program to access custom data. The custom program is stored in the B drive 75 as a second system data file 86b. A custom program includes a custom data flag that indicates whether custom data is valid or invalid.

As shown in FIG. 2, the third nonvolatile memory 23 stores first key information 51a and second key information 51b. This is an example of a "specific non-volatile storage area". The first key information 51a and the second key information 51b are examples of "key information". The first key information 51a is information based on the encryption key used to encrypt the first system data file 86a. The second key information 51b is information based on the encryption key used to encrypt the second system data file 86b. The first key information 51a and the second key information 51b are stored in association with the first system data file 86a and the second system data file 86b. In the following description, the first key information 51a and the second key information 51b may be collectively referred to as "key information 51". The file system manager 91 can access the third nonvolatile memory 23 via the memory manager 92 .

Note that the key information 51 stored in the third nonvolatile memory 23 may be the encryption key itself, or may be information for generating the encryption key (for example, part of the encryption key). If the key information 51 is part of the encryption key, the remainder of the encryption key is stored in a storage area separate from the third nonvolatile memory 23, such as the first nonvolatile memory 21. FIG. The key information 51 may be stored in a non-volatile storage area, or may be stored in an area provided separately from the A drive 73 and B drive 75 in the second non-volatile memory 22 . A decryption key created as a key for decrypting data encrypted with the encryption key may be stored as the key information 51 .

Next, the operation of MFP 1 will be described with reference to the drawings. In the following description, the processing by the CPU 31 for determining whether or not the information A indicates that the matter B is conceptually represented as "determining whether or not the information A is the matter B". may be described. The processing by the CPU 31 to determine whether information A indicates matter B or matter C is defined as "determining whether information A is matter B or matter C". It may be described conceptually as Also, the processing of the CPU 31 described below may be performed by the ASIC 16 . In some cases, an application, a file system management unit 91, or a memory management unit 92 is used as a subject that executes processing. In this case, the CPU 31 or the ASIC 16 substantially performs the processes performed by the application, the file system management unit 91 and the memory management unit 92 .

First, a control procedure for writing user data to the A drive 73 will be described. For example, when the address book button A11 is operated via the operation display unit 11 on the various setting screen D11 of FIG. 4A, the MFP 1 activates an address book application that manages address information. The address book application instructs the file system management unit 91 to write the address book information to the second non-volatile memory 22 upon receiving the input operation of the address book information.

The file system management unit 91 that has received the instruction judges that it has received the first data write instruction, and executes the first data write process shown in FIG. 5(A). That is, the file system management unit 91 writes the address book information as the second user data file 84b to the A drive 73 of the second nonvolatile memory 22 without encrypting it (S1), and ends the process. At this time, the file system management section 91 stores the file information of the second user data file 84b in a predetermined area. As a result, the second user data file 84b becomes a management target of the file system, and the application 45 or the like can access the second user data file 84b via the file system.

In this embodiment, the first data write instruction is open to the public. Therefore, a general user, a system vendor, or the like can input the first data write instruction to MFP 1 and write user data into second nonvolatile memory 22 . The method of inputting the first erase instruction, which will be described later, is also open to the public, as is the case with the first data write instruction. The operation of inputting the first data write instruction and the first erase instruction through the operation display section 11 is an example of the "first user operation".

Next, a procedure for writing system data to the B drive 75 will be described. In this embodiment, the method of inputting the second data write instruction is not disclosed to the general public, but is disclosed only to system vendors and the like. Therefore, only a system vendor or the like can write system data to the second nonvolatile memory 22 . Therefore, the second data write instruction is input to MFP 1 by a method different from that of the first data write instruction. It should be noted that the method of inputting the second erasure instruction, which will be described later, is not open to the general public, but is open to the public only to system vendors and the like, as with the second data write instruction.

For example, the management terminal 3 incorporates a PC application that is not open to the public and is open only to system vendors and the like. A PC application is, for example, a program that creates system data. A command for the PC application to send system data to the MFP 1 has not been disclosed. Therefore, only the system vendor or the like can write system data to the MFP 1 .

For example, the management terminal 3 generates custom data for the custom screen D22 using a PC application installed in its own terminal, and upon receiving an instruction to input the custom data to the MFP 1, writes the custom data to the second nonvolatile memory 22. A command instructing to do so is transmitted to the MFP1. The management terminal 3 is an example of an "external device". Receiving commands is an example of a "specific input method."

When MFP 1 receives the command via communication IF 15, MFP 1 determines that the second data write instruction has been received, and executes the second data write process shown in FIG. 5B.

The file system management unit 91 uses the key management application 46 to generate an encryption key to be used for data encryption (S11). The processing of S11 is an example of "key generation processing". This encryption key is stored in the memory management unit 92 . A cryptographic key is created by, for example, random numbers. File system management unit 91 encrypts the custom data input to MFP 1 using the encryption key created in S11 (S12). The file system management unit 91 may request the key management application 46 to encrypt the custom data.

Then, the file system management unit 91 writes the encrypted custom data to the B drive 75 (S13). In response to this, the file system management unit 91 writes the file information of the first system data file 86a in a predetermined area, thereby setting the first system data file 86a as a management target. The processing of S12 and S13 is an example of "data write processing". Further, the file system management unit 91 updates the custom data flag of the custom program by switching it from invalid to valid. The custom data flag may be arbitrarily switched between valid and invalid after writing the custom data by an operation that is open only to the system vendor or the like. Note that the custom data flag may be stored in the B drive 75 as system data.

The file system management unit 91 generates the first key information 51a based on the encryption key stored in the memory management unit 92, and writes it to the third nonvolatile memory 23 via the memory management unit 92 (S14). At this time, the first key information 51a is stored in association with the first system data file 86a. Furthermore, the file system manager 91 erases the encryption key stored in the memory manager 92 . The process of S14 is an example of "key write process". After that, the file system management unit 91 terminates the processing.

The command for writing system data to the B drive 75 may be, for example, a PJL command. When the MFP 1 receives a PJL command, or when the PJL command is stored in an attached external memory (for example, a USB memory), it analyzes the PJL command and writes the system data to the B drive 75. For example, the second data write process shown in FIG. 5B is executed to write the system data to the B drive 75 .

The MFP 1 does not write system data to the B drive 75 by receiving a command from the management terminal 3, but accepts a second data write instruction input by the system vendor or the like via the operation display unit 11, and writes the system data to the B drive 75. system data may be written to

For example, a system vendor or the like attaches to the MFP 1 a USB memory storing created custom data. Then, the system vendor or the like operates the system management button A14 displayed on the various setting screen D11 shown in FIG. 4(A). Then, the CPU 31 accepts the authentication instruction and executes the authentication process shown in FIG. The operation of the system management button A14 is an example of "specific user operation".

The CPU 31 causes the operation display section 11 to display the authentication information input screen D3 shown in FIG. 7A (S20), and determines whether or not the authentication information has been accepted (S21). When the system vendor or the like enters the authentication information in the input field SA of the authentication information input screen D3 and operates the OK button A3, the CPU 31 determines that the authentication information has been accepted (S21: YES), and based on the entered authentication information. User authentication is performed to determine whether or not the user has a specific access right (S22). The processing of S21 and S22 is an example of "authentication processing".

When the authentication is successful (S23: YES), the CPU 31 causes the operation display section 11 to display a system management screen D5 as shown in FIG. 7B (S24). In other words, the system management screen D5 is a screen that can be operated only by a specific user who has been successfully authenticated, and is a screen that cannot be operated by general users. The system management screen D5 includes a data input button A5 for instructing input of system data, a reset button A6 for instructing deletion of system data, and an other button A7 for instructing other processing. The operation of the buttons A5 and A6 is an example of the "second user operation".

The CPU 31 determines whether or not the data input button A5 or the reset button A6 has been operated (S25). When the CPU 31 accepts the operation of the data input button A5 (S25: data input button), the CPU 31 passes the second data write instruction to the file system management section 91 (S29), and terminates the process. Upon receiving the second data write instruction, file system management unit 91 executes the second data write process shown in FIG. The key information 51 is written to the third non-volatile memory 23 as well as to the B drive 75 .

Next, a control procedure for reading system data from the B drive 75 will be described. For example, when the file system management unit 91 receives a read instruction designating the file name of the first system data file 86a from the application 45 or the like, the file system management unit 91 executes the data read processing shown in FIG.

The file system management unit 91 acquires the first system data file 86a from the B drive 75 of the second nonvolatile memory 22 based on the file name specified by the read instruction (S51). The file system management unit 91 reads the first key information 51a corresponding to the first system data file 86a from the third nonvolatile memory 23 via the memory management unit 92, and acquires the encryption key based on the first key information 51a. (S52). The processing of S52 is an example of "key acquisition processing".

For example, if the first key information 51a read from the third nonvolatile memory 23 is the encryption key itself, the file system management unit 91 acquires the first key information 51a as the encryption key. Further, for example, if the first key information 51a is a part of the encryption key, the file system management unit 91 acquires the remainder of the encryption key, reproduces the encryption key itself, and uses it as the encryption key. The first key information 51a is data for creating an encryption key, and the encryption key may be created based on this data. If the first key information 51a is a decryption key corresponding to the encryption key used to encrypt the first system data file 86a, the file system management section 91 acquires the decryption key as the encryption key. The key management application 46 may acquire the encryption key.

Then, the file system management unit 91 uses the encryption key obtained in S52 to decrypt the encrypted data (first system data file 86a) (S53). The process of S53 is an example of "a process of decoding the second data". The key management application 46 may decrypt the encrypted data. The file system management unit 91 delivers the decrypted first system data file 86a to the application 45 and the like (S54), and terminates the process.

This data reading process is executed, for example, when screen display is performed on the operation display unit 11 using a display application. For example, when the OS 41 is activated, the MFP 1 causes the CPU 31 to read the display application from the first non-volatile memory 21 and execute the display processing shown in FIG.

The display application determines whether the custom data flag is valid, for example, via the file system (S61). Specifically, the display application passes to the file system management unit 91 a read instruction designating the file name of the second system data file 86b. The file system management unit 91 executes the data reading process described above, and passes the second system data file 86b decrypted using the encryption key based on the second key information 51b to the display application. The display application determines whether the custom data flag of the custom program is valid based on the decrypted second system data file 86b (S61). If the custom data flag is invalid (S61: NO), the display application displays the normal screen D21 shown in FIG. 3A (S65), and ends the process.

On the other hand, if the custom data flag is valid (S61: YES), the display application determines whether custom data has been detected (S62). Specifically, the display application has regularized file names as custom data files in advance. The display application instructs the file system management unit 91 to search for a file name according to the rule. For example, the display application passes the file name of the first system data file 86a to the file system management unit 91, and when the file system management unit 91 does not detect the file (S62: NO), the normal screen D21 is displayed. (S65), the process ends.

On the other hand, when the file system management unit 91 detects the file name of the first system data file 86a (S62: YES), the display application acquires the custom data via the file system management unit 91 (S63). . That is, the file system management unit 91 executes the data reading process described above, and passes the first system data file 86a decrypted using the encryption key based on the first key information 51a to the display application. The display application uses the custom data stored in the decrypted first system data file 86a to display, for example, the custom screen D22 shown in FIG. 3B (S64), and ends the process.

Next, a control procedure for erasing user data from the second nonvolatile memory 22 by the MFP 1 will be described. Since the user data is input by the user's operation after shipment from the factory, it is preferable that the user can arbitrarily delete the data. The MFP 1 can delete user data on the file system by deleting file information managed by the file system management unit 91, for example. However, with this method, the first user data file 84 a and the second user data file 84 b remain in the A drive 73 . Therefore, when the second non-volatile memory 22 is discarded or recycled, the unencrypted first user data file 84a and the second user data file 84b can be used as a file restoration tool (also called salvage tool or recovery tool). can be read and leaked using Therefore, in this embodiment, the user data stored in the A drive 73 is completely erased.

For example, when the reset button A13 is operated on the various setting screen D11 shown in FIG. 4A, the MFP 1 displays the reset screen D1 shown in FIG. The reset screen D1 is a screen that can be displayed without authentication, and is a screen that can be operated by both general users and specific users such as system vendors.

When the all data button A1 on the reset screen D1 is operated via the operation display unit 11, the file system management unit 91 determines that the first erase instruction has been received, and performs the first data erase process shown in FIG. 10(A). to run. The partition name of the A drive 73 is specified in the first erase instruction. The first erase instruction is an example of "an erase instruction for the first area".

Note that the display of the button A1 may be "factory reset". When the button A1 for displaying factory reset is operated, data that needs to be reset to the factory shipping state may be reset to the factory shipping state in addition to the complete erasure of the A drive 73, which will be described later. An all data button for instructing erasure of all user data and a factory reset button for instructing data to be reset to the factory shipping state may be separately provided.

In the first data erasing process shown in FIG. 10(A), the file system management unit 91 executes the processing in the second non-volatile memory 22 in order. is stopped (S41). This eliminates unnecessary input of instructions to the file system management unit 91 from the application 45 or the like while the file system management unit 91 is processing the second nonvolatile memory 22 in order.

The file system management unit 91 sequentially performs processing on the second nonvolatile memory 22, thereby completely erasing the A drive 73 from the second nonvolatile memory 22 as shown in FIG. 11A (S42 ). The process of S42 is an example of the "complete erasure process". Also, the file system management unit 91 deletes the file information of the first user data file 84a and the second user data file 84b from the predetermined area. Furthermore, the file system management unit 91 deletes the partition information of the A drive 73 stored in the predetermined area. As a result, the A drive 73 cannot be used as a file system. In other words, the application 45 or the like cannot use user data via the file system management unit 91 .

Here, in this specification, "deletion", "erasure", and "complete erasure" are used with the following meanings. "Delete" means to make a file no longer exist on the file system. In other words, it means that the application 45 or the like is prevented from reading and writing data in the second nonvolatile memory 22 using the file name. For example, with respect to the first user data file 84a stored in the A drive 73, the file system management unit 91 requests the file of the first user data file 84a while the first user data file 84a is stored in the A drive 73. Deleting information corresponds to "deletion". In this case, the application 45 or the like cannot access the first user data file 84a via the file system management unit 91, but the first user data file 84a remains in the A drive 73.

“Erase” means to prevent the data itself to be erased from being read from the second nonvolatile memory 22 . For example, writing other data such as 0xff to the area where the first user data file 84a occupies the A drive 73 and the area where the file information of the first user data file 84a is stored constitutes "erase". Applicable. In this case, the first user data file 84 a remains neither in the file system nor in the A drive 73 . Since the second user data file 84b remains both on the file system and in the A drive 73, the application 45 and the like can access the second user data file 84b.

"Complete erasure" erases an area in which data to be erased is stored so that all data stored in the area, including the data to be erased, cannot be read from the second nonvolatile memory 22. means to For example, the entire area of the A drive 73, the entire area storing the partition information of the A drive 73, and the entire area storing the file information of the first user data file 84a and the second user data file 84b, Writing other data such as 0xff corresponds to "complete erasure". In this case, all the data stored in the A drive 73 will not remain in the file system nor in the second non-volatile memory 22, and the application 45, etc. also become inaccessible.

The system data is encrypted and stored in the B drive 75 of the second nonvolatile memory 22 . There is no way to decrypt the system data from which the key information 51 has been deleted. Therefore, the application 45 and the like cannot acquire the decrypted system data from the second nonvolatile memory 22 . Therefore, even if only the key information 51 is erased and the system data remains in the file system, an effect equivalent to "erasing the system data" can be obtained.

After completely erasing the A drive 73 as shown in FIG. 10A, the file system management unit 91 initializes or formats the second nonvolatile memory as shown in FIG. 11B. 22 to reconstruct the A drive 73x (S43). For example, the file system management unit 91 grasps the free space of the second non-volatile memory 22 from the partition information managed by the file system management unit 91 . Then, the file system management unit 91 checks the status of the free area and reserves an area with no abnormality as an area for reconstruction. Then, the file system management unit 91 stores the partition information indicating the reconstruction area in a predetermined area. Therefore, the A drive 73 x can be rebuilt in a different location from the A drive 73 before complete erasure, depending on the state of the second nonvolatile memory 22 . The file system management unit 91 that has reconstructed the A drive 73x reboots as shown in FIG. 10A (S44), and terminates the process.

In this way, the process of completely erasing the A drive 73 and the process of maintaining the A drive 73 by rebuilding are collectively performed. The safety of all stored user data can be guaranteed.

When the MFP 1 is discarded or recycled, for example, by inputting the first erasure instruction without user authentication, the MFP 1 can completely erase all the user data and prevent the leakage of the user data. Also, since the system data remains on the B drive 75, certain functions are maintained.

For example, when the address book button A2 is operated on the reset screen D1 of FIG. 4B, the file system management unit 91 accepts a delete instruction designating the file name of the second user data file 84b. In this case, the file system management unit 91 deletes the file information of the second user data file 84b from a predetermined area, so that the second user data file 84b is individually deleted on the file system, and the application 45 and the like are addressed. Cannot read book information.

Next, a control procedure for erasing system data from the second nonvolatile memory 22 by the MFP 1 will be described. For example, the system vendor or the like operates the system management button A14 on the various setting screen D11 of FIG. 4(A). Then, the CPU 31 executes the authentication process shown in FIG. After successful authentication based on the authentication information, the CPU 31 accepts the operation of the reset button A6 displayed on the system management screen D5 in FIG. 7B via the operation display unit 11 (S25: reset button), (S26). For example, the CPU 31 acquires the file names of the files stored in the B drive 75 from the file system management section 91 and displays them as a list. The CPU 31 waits until the file name is specified (S26: NO).

When, for example, the file name of the first system data file 86a is specified from among the file names displayed as a list (S26: YES), the CPU 31 stores the specified file name of the first system data file 86a in the file system management. It is passed to the section 91 (S27). Then, the CPU 31 passes the second erasure instruction to the file system management section 91 (S28), and terminates the process. The second erase instruction is an example of "an instruction to erase the second data stored in the second area". Therefore, the second erase instruction is input to MFP 1 by a method different from the first erase process. When the other button A7 on the system management screen D5 is operated (S25: NO), the CPU 31 performs other processing (S30) and terminates the processing.

The deletion of the system data by the system vendor or the like may be performed not only by operating the operation display unit 11 but also by using a PC application for deletion or a PJL command for deletion. That is, the PC application for deletion and the PJL command for deletion are open to the public only to system vendors and the like, and when the MFP 1 receives a command from the PC application for deletion or receives a PJL command for deletion, , it may be determined that the second erasure instruction has been accepted, and the second data erasure processing may be executed.

As shown in FIG. 10(B), when the file system management unit 91 receives the second erasure instruction designating the first system data file 86a, as shown in FIG. is erased from the third non-volatile memory 23 (S31). The processing of S31 is an example of "key deletion processing".

By deleting the first key information 51a, the MFP 1 decrypts the first system data file 86a so that it cannot be decrypted. That is, the first system data file 86a can be substantially erased. In this erasing method, after the second system data file 86b that is not to be erased is saved from the B drive 75, the B drive 75 is completely erased, and then the second system data file 86b is returned to the B drive 75. Compared to the erasing method of individually erasing one system data file 86a, the time required to erase the first system data file 86a can be shortened. In addition, the frequency of reading and writing system data in the second nonvolatile memory 22 can be reduced, and deterioration of the second nonvolatile memory 22 can be reduced. In this way, the erasure of the first key information 51a is used as a method of individually making the first system data file 86a unrestorable more easily than the erasure of the first system data file 86a itself.

Even if the first key information 51a is deleted, if the first system data file 86a remains in the file system, the application 45 or the like can access the first system data file 86a via the file system management unit 91. In this case, since the application 45 and the like cannot read the restored first system data file 86a, an error occurs.

Therefore, as shown in FIG. 10B, the file system management unit 91 deletes the first system data file 86a on the file system (S32), and terminates the process. The processing of S32 is an example of "data deletion processing". That is, the file system management unit 91 deletes the file information (for example, address) regarding the first system data file 86a from the predetermined area. In this case, as shown in FIG. 12B, although the first system data file 86a remains in the B drive 75, the application 45 or the like will no longer request reading of the first system data file 86a via the file system. , avoiding the error. In addition, the file system management unit 91 can overwrite the area of the B drive 75 occupied by the deleted first system data file 86a with another data. That is, the application 45 or the like can use the area via the file system.

As described above, the MFP 1 of this embodiment divides the second nonvolatile memory 22 into the A drive 73 and the B drive 75 according to the file system, and stores user data and system data separately in the A drive 73 and the B drive 75. Then, the user data and system data are erased by different erasing methods for the A drive 73 and the B drive 75 . As a result, for example, user data stored in the A drive 73 can be erased while system data stored in the B drive 75 remains. Since the user data stored in the A drive 73 is completely erased, the safety of the user data is ensured. When erasing the system data stored in the B drive 75, the system data itself is encrypted, and by erasing the corresponding key information 51, it becomes extremely difficult to decrypt and decipher the system data. , security is guaranteed equivalent to erasing the system data itself. Therefore, according to the MFP 1 of this embodiment, the data stored in the second nonvolatile memory 22 can be safely erased. Thus, according to the MFP 1 of this embodiment, it is possible to safely erase the data stored in the second nonvolatile memory 22 .

Moreover, user data is often data that is accessed more frequently than system data, and data that poses less danger even if leaked. Therefore, the user data is written to the A drive 73 without being encrypted, so that the application 45 or the like can read and write the user data to the second nonvolatile memory 22 at high speed via the file system. On the other hand, since the system data is encrypted and written to the B drive 75, it takes more time to read and write to the second nonvolatile memory 22 than unencrypted user data. However, if, for example, the first system data file 86a is erased by erasing the first key information 51a as in the present embodiment, after the second system data file 86b that is not to be erased is saved from the B drive 75, By completely erasing the B drive 75 and then returning the second system data file 86b to the B drive 75, compared to erasing the first system data file 86a itself, the system data can be erased unusably from the application 45 or the like. It can reduce the processing time required for

It should be noted that the present embodiment is merely an example, and does not limit the present invention in any way. Therefore, the present invention can naturally be improved and modified in various ways without departing from the scope of the invention. For example, MFP 1 may be a printer having only a printing function.

The processing of S11 in FIG. 5B may be omitted, and the system data may be encrypted using a previously held encryption key. However, as in the above embodiment, the encryption key is held in advance by generating the encryption key after receiving the second data write instruction and storing the key information 51 based on the encryption key in the third nonvolatile memory 23. The key information 51 is less likely to leak than the case.

The key information 51 may be erased by completely erasing the area for storing the key information 51 in S31 of FIG. 10B. According to this, when the MFP 1 is discarded or recycled, all the key information is not leaked, and the security of the system data is further enhanced. However, by individually erasing the key information 51, it is possible to delete only the system data to be erased.

The B drive 75 may also store unencrypted data. However, by storing only encrypted data in the B drive 75, the security of the data stored in the B drive 75 can be ensured only by erasing the key information 51. FIG.

The processing of S20 to S23 in FIG. 6 may be omitted, and the second data write instruction or second erase instruction may be accepted even if the authentication is not successful, like the first data write instruction or first erase instruction. However, by accepting the second data writing instruction and the second erasing instruction by the input operation after the successful authentication, and making it possible to individually erase the system data using the key information 51, for example, the system vendor etc. It is possible to prevent general users from erasing written system data.

The processing of S32 in FIG. 10B may be omitted, and the system data from which the key information 51 has been deleted may not be deleted on the file system.

The process of S43 in FIG. 10A may be omitted. However, after completely erasing the A drive 73 and erasing the user data, the A drive 73x can be easily used by reconstructing or initializing the A drive 73x.

If the reset screen D1 has an all data button A1 or a factory reset button, the B drive 75 may also be completely erased when the factory reset button is operated. Alternatively, the processing shown in FIG. 10B may be performed for all the system data stored in the B drive 75 . Also, if the all data button A1 is operated, only the A drive 73 is erased, and if the factory reset button is operated, both the A drive 73 and the B drive 75 are completely erased. good.

In the specification that the system data stored in the B drive 75 can be erased only when the second erase instruction is accepted, if the factory reset button to return the data to the factory shipment state is operated, there is data that cannot be erased, and the system vendor It is also possible to notify the user that it is necessary to have the user delete the data. Then, the MFP 1 inquires of the user who has confirmed the notification whether or not to continue the data erasure. 73 may be erased and the first data erasing process may not be performed if the instruction to continue is not accepted. According to this, the user who confirms the notification can avoid discarding or recycling the MFP 1 with data left in the B drive 75 by erroneously recognizing that the MFP 1 has returned to the factory shipment state.

Custom data may be written to the A drive 73 as user data. In this case, the custom data is data indicating the arrangement of custom material data. The custom material data is, for example, image data of backgrounds and icons used for the custom screen D22, and is stored in the B drive 75 as system data. MFP 1 may read custom material data from B drive 75, accept selection of custom material data via operation display unit 11, and create custom data. In this case, custom data is written to the A drive 73 as user data. The MFP 1 may read the custom data and the custom material data from the A drive 73 and the B drive 75, respectively, and display on the operation display unit 11 a screen on which the image data indicated by the custom material data is arranged according to the custom data.

If user data is encrypted, it may be stored in the B drive 75 . In this case, the encrypted user data is an example of "second data".

In any flow chart disclosed in the embodiments, multiple processes in any multiple steps can be arbitrarily changed in execution order or executed in parallel as long as there is no contradiction in the processing contents.

The processing disclosed in the embodiments may be performed by a single CPU, multiple CPUs, hardware such as an ASIC, or a combination thereof. Further, the processes disclosed in the embodiments can be realized in various forms such as a recording medium recording a program for executing the processes, a method, and the like.

1 MFP
13 Printing unit 22 Second nonvolatile memory 45 Application 73 A drive 75 B drive

Claims (13)

non-volatile memory;
an image forming unit;
An image forming apparatus comprising
The image forming apparatus is
An application program installed in the image forming apparatus having a file system used for accessing the nonvolatile memory can read and write data to and from the nonvolatile memory via the file system. The program includes an application program for processing a job for operating the image forming unit using data stored in the nonvolatile memory,
The nonvolatile memory is provided with a plurality of areas partitioned by the file system, and the plurality of areas includes a first area capable of storing first data and a second data. a storable second area; and
Further, the image forming apparatus
executing a data write process of encrypting the second data and writing the encrypted second data to the second area when an instruction to write the second data to the second area is accepted; death,
Further, the image forming apparatus
A specific nonvolatile storage area different from the first area and the second area is provided, and key information for the encrypted second data is stored in the specific nonvolatile storage area. cage,
When an instruction to erase the first area is received, executing a complete erase process for completely erasing the storage area of the first area in the nonvolatile memory,
When an instruction to erase the second data stored in the second area is received, executing a key erasing process of erasing the key information corresponding to the second data from the specific nonvolatile storage area. do,
An image forming apparatus characterized by: In the image forming apparatus according to claim 1,
The image forming apparatus is
When an instruction to write the second data in the second area is received, a key generation process for generating an encryption key is executed, and after execution of the key generation process, the data write process is performed as encrypting the second data using the encryption key generated by the method, writing the encrypted second data in the second area, and executing the key generating process; Executes a key write process for writing key information based on the encryption key generated in to the specific nonvolatile storage area,
An image forming apparatus characterized by: In the image forming apparatus according to claim 1 or claim 2,
The image forming apparatus is
completely erasing the key information corresponding to the second data from the specific non-volatile storage area in the key erasing process;
An image forming apparatus characterized by: In the image forming apparatus according to any one of claims 1 to 3,
In the second area, no unencrypted data is stored, and only the encrypted second data is stored.
An image forming apparatus characterized by: In the image forming apparatus according to any one of claims 1 to 4,
The image forming apparatus is
When an instruction to read the second data from the second area is received, the key information is read from the specific nonvolatile storage area and used for encryption of the second data based on the key information. executing key acquisition processing for acquiring the encryption key obtained by the key acquisition processing; after executing the key acquisition processing, the file system reads the second data from the second area; performing a process of decrypting the second data using a key;
An image forming apparatus characterized by: In the image forming apparatus according to any one of claims 1 to 5,
with a user interface,
The image forming apparatus is
when the erasure instruction for the first area is accepted by a first user operation via the user interface, executing the complete erasure process;
executing the key erasing process when the erasing instruction for the second data is accepted by a specific input method different from the first user operation;
An image forming apparatus characterized by: In the image forming apparatus according to claim 6,
Equipped with a communication interface,
The image forming apparatus is
when the erasure instruction for the first area is accepted by the first user operation via the user interface, executing the complete erasure process;
executing the key erasure process when the erasure instruction for the second data is accepted by receiving a command from an external device via the communication interface as the specific input method;
An image forming apparatus characterized by: In the image forming apparatus according to claim 6,
The image forming apparatus is
When an authentication instruction is received by a specific user operation via the user interface, performing an authentication process of requesting input of authentication information and performing user authentication based on the input authentication information,
when the erasure instruction for the first area is accepted by the first user operation via the user interface, executing the complete erasure process;
executing the key erasure process when the erasure instruction for the second data is received by accepting a second user operation different from the first user operation via the user interface as the specific input method; , the second user operation is an operation that can be input after authentication has succeeded in the authentication process, and the first user operation is an operation that can be input even if the authentication in the authentication process has not succeeded. be,
An image forming apparatus characterized by: In the image forming apparatus according to any one of claims 1 to 5,
a user interface;
with
The image forming apparatus is
storing the first data input by a first user operation through the user interface in the first area;
storing the second data input by a specific input method different from the first user operation in the second area;
An image forming apparatus characterized by: In the image forming apparatus according to claim 9,
Equipped with a communication interface,
The image forming apparatus is
storing the first data input by the first user operation through the user interface in the first area;
storing in the second area the second data input by receiving a command from an external device via the communication interface as the specific input method;
An image forming apparatus characterized by: In the image forming apparatus according to claim 9,
The image forming apparatus is
When an authentication instruction is received by a specific user operation via the user interface, performing an authentication process of requesting input of authentication information and performing user authentication based on the input authentication information,
storing the first data input by the first user operation through the user interface in the first area;
storing in the second area the second data input by a second user operation different from the first user operation via the user interface as the specific input method; The operation is an operation that can be input after successful authentication by the authentication process, and the first user operation is an operation that can be input even if the authentication by the authentication process is not successful.
An image forming apparatus characterized by: In the image forming apparatus according to any one of claims 1 to 11,
The image forming apparatus is
When receiving an instruction to erase the second data stored in the second area, executing data deletion processing for deleting the second data by the file system and the key deletion processing;
An image forming apparatus characterized by: In the image forming apparatus according to any one of claims 1 to 12,
The image forming apparatus is
When an instruction to erase the first area is received, the first area is reconstructed after executing the complete erasing process.
An image forming apparatus characterized by:

Images