KR102597220B1 - Method and system for sanitizing data - Google Patents

Abstract

The present invention provides a method for completely deleting data, which includes obtaining information about the interface and firmware of a data storage device; Determining a method of completely deleting data based on information about the interface and firmware; and completely deleting data in the data storage device using the determined data complete deletion method.

Description

Method and system for complete data deletion{METHOD AND SYSTEM FOR SANITIZING DATA}

The present invention relates to a method and system for completely deleting data from a data storage device.

Because information protection is important in modern society, it is important to protect data on data storage devices where information is stored.

The use or user of a data storage device frequently changes depending on the usage cycle of the data storage device or a change in the user of the data storage device. Accordingly, the importance of technology to completely delete user data from data storage devices has been highlighted due to privacy and security needs.

Not only are there many different types of data storage devices, but even for the same type of data storage device, the applicable complete deletion method varies depending on the manufacturer or firmware.

Conventionally, data complete deletion solutions that support various complete deletion methods and allow the user to select one of them have been proposed.

The technology behind the invention has been written to facilitate easier understanding of the invention. It should not be understood as an admission that matters described in the technology underlying the invention exist as prior art.

In conventional complete deletion solutions, users simply select one method to perform complete deletion.

However, the type of complete deletion method applicable to the data storage device may vary depending on conditions such as interface, firmware, encryption application, frozen status, and ATA Security Frozen, so specific complete deletion is possible. The method may not be applicable because it is not supported.

Accordingly, the inventors of the present invention attempted to develop a more flexible and reliable complete deletion method in response to conditions such as interface, firmware, encryption application, frozen status, and ATA protection lock status.

The problems of the present invention are not limited to the problems mentioned above, and other problems not mentioned will be clearly understood by those skilled in the art from the description below.

In order to solve the problems described above, a method for completely deleting data according to an embodiment of the present invention is provided. The method includes obtaining information about the interface and firmware of a data storage device; Determining a method of completely deleting data based on information about the interface and firmware; and completely deleting data in the data storage device using the determined data complete deletion method.

According to a feature of the present invention, the step of obtaining information about the interface and firmware of the data storage device may include checking whether encryption using a TPM (Trusted Platform Module) has been applied to the data storage device.

According to another feature of the present invention, when encryption using the TPM is applied, the step of completely deleting data in the data storage device may include deleting the encryption key stored inside the TPM and used for encryption.

According to another feature of the present invention, the step of completely deleting data from a data storage device may include checking whether a pre-reserved area has been set in the data storage device.

According to another feature of the present invention, when a pre-reserved area is set in the data storage device, the step of completely deleting data from the data storage device may include initializing the pre-reserved area.

According to another feature of the present invention, the step of initializing the pre-reserved area includes, when the data storage device is in a frozen state, the host connected to the data storage device enters the S3 power saving state among ACPI levels and automatically It may include a command to wake up.

According to another feature of the present invention, the method may further include verifying whether data in the data storage device has been completely deleted.

According to another feature of the present invention, when it is verified that the data in the data storage device has been completely deleted, the step of verifying whether the data in the data storage device has been completely deleted is performed by using the determined data complete deletion method as zero-fill. ) method may be included.

According to another feature of the present invention, the method may further include performing a performance degradation prevention process when the determined data complete deletion method is not a zero-fill method.

According to another feature of the present invention, performing a method for preventing performance degradation may include completely deleting data in a data storage device using a zero-fill data complete deletion method.

According to another feature of the present invention, the zero-fill data complete deletion method may include at least one of Sanitize Block Erase and ATA Security Erase.
In order to solve the problems described above, a method for completely deleting data according to another embodiment of the present invention is provided. The method includes obtaining information about the interface and firmware of a data storage device; determining a method of completely deleting data based on information about the interface and the firmware; Completely deleting data from the data storage device using a determined data complete deletion method; Verifying whether the data in the data storage device has been completely deleted; When it is verified that the data of the data storage device has been completely deleted, confirming whether the determined data complete deletion method is a zero-fill method; If the determined data complete deletion method is a zero-fill method, checking whether the sampled subsection is overwritten with zero after performing the determined complete deletion method; And when the determined data complete deletion method is not the zero-fill method, it may include performing a performance degradation prevention process.

In order to solve the problems described above, an apparatus for completely deleting data from a data storage device according to another embodiment of the present invention is provided. The apparatus includes a communication unit configured to communicate with a data storage device; a memory configured to store a data erasure application; and a control unit operatively connected to the communication unit and the memory, wherein the control unit is configured to obtain information about the interface and firmware of the data storage device and determine a method of completely deleting data based on the information about the interface and firmware, Then, the data in the data storage device is completely deleted using the determined data complete deletion method. In order to solve the problems described above, an apparatus for completely deleting data from a data storage device according to another embodiment of the present invention is provided. The apparatus includes a communication unit configured to communicate with a data storage device; a memory configured to store a data erasure application; and a control unit operably connected to the communication unit and the memory, wherein the control unit acquires information about the interface and firmware of the data storage device, and based on the information about the interface and the firmware, a method of completely deleting data. Determine, completely delete the data of the data storage device using the determined data complete deletion method, verify whether the data of the data storage device has been completely deleted, and completely delete the data of the data storage device. If it is verified that the determined data complete deletion method is a zero-fill method, it is confirmed that the determined data complete deletion method is a zero-fill method, and if the determined data complete deletion method is performed, the sampled subsection is zero. , and, if the determined data complete deletion method is not the zero-fill method, perform a performance degradation prevention process.

Specific details of other embodiments are included in the detailed description and drawings.

The present invention can achieve more flexible and reliable complete deletion by responding to conditions such as interface, firmware, encryption application, frozen status, and ATA protection lock status.

Additionally, the present invention can achieve very high stability against malicious or accidental interruption and very high reliability against complete data deletion.

The effects according to the present invention are not limited to the details exemplified above, and further various effects are included within the present invention.

1 is a schematic diagram of a data complete deletion system according to an embodiment of the present invention.
Figure 2 is a block diagram showing the configuration of a data complete deletion system according to an embodiment of the present invention.
Figure 3 is a block diagram showing the configuration of a data complete deletion system according to an embodiment of the present invention.
Figure 4 is a block diagram showing a method for completely deleting data according to an embodiment of the present invention.
Figure 5 is a block diagram showing the steps of completely deleting data from a data storage device in a data complete deletion method combining various embodiments of the present invention.

The advantages and features of the present invention and methods for achieving them will become clear by referring to the embodiments described in detail below along with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below and will be implemented in various different forms, but the present embodiments only serve to ensure that the disclosure of the present invention is complete and are within the scope of common knowledge in the technical field to which the present invention pertains. It is provided to fully inform those who have the scope of the invention, and the present invention is only defined by the scope of the claims. In connection with the description of the drawings, similar reference numbers may be used for similar components.

In this document, expressions such as “have,” “may have,” “includes,” or “may include” refer to the existence of the corresponding feature (e.g., a numerical value, function, operation, or component such as a part). , and does not rule out the existence of additional features.

In this document, expressions such as “A or B,” “at least one of A or/and B,” or “one or more of A or/and B” may include all possible combinations of the items listed together. . For example, “A or B,” “at least one of A and B,” or “at least one of A or B” includes (1) at least one A, (2) at least one B, or (3) it may refer to all cases including both at least one A and at least one B.

Expressions such as “first,” “second,” “first,” or “second,” used in this document can modify various components regardless of order and/or importance, and can refer to one component. It is only used to distinguish from other components and does not limit the components. For example, a first user device and a second user device may represent different user devices regardless of order or importance. For example, a first component may be renamed as a second component without departing from the scope of rights described in this document, and similarly, the second component may also be renamed as the first component.

A component (e.g., a first component) is “(operatively or communicatively) coupled with/to” another component (e.g., a second component). When referred to as being “connected to,” it should be understood that any component may be directly connected to the other component or may be connected through another component (e.g., a third component). On the other hand, when a component (e.g., a first component) is said to be “directly connected” or “directly connected” to another component (e.g., a second component), It may be understood that no other component (e.g., a third component) exists between other components.

As used in this document, the expression “configured to” depends on the situation, for example, “suitable for,” “having the capacity to.” ," can be used interchangeably with "designed to," "adapted to," "made to," or "capable of." The term “configured (or set to)” may not necessarily mean “specifically designed to” in hardware. Instead, in some contexts, the expression “a device configured to” may mean that the device is “capable of” working with other devices or components. For example, the phrase "processor configured (or set) to perform A, B, and C" refers to a processor dedicated to performing the operations (e.g., an embedded processor), or by executing one or more software programs stored on a memory device. , may refer to a general-purpose processor (e.g., CPU or application processor) capable of performing the corresponding operations.

Terms used in this document are merely used to describe specific embodiments and may not be intended to limit the scope of other embodiments. Singular expressions may include plural expressions, unless the context clearly indicates otherwise. Terms used herein, including technical or scientific terms, may have the same meaning as generally understood by a person of ordinary skill in the technical field described in this document. Among the terms used in this document, terms defined in general dictionaries may be interpreted to have the same or similar meaning as the meaning they have in the context of related technology, and unless clearly defined in this document, have an ideal or excessively formal meaning. It is not interpreted as In some cases, even terms defined in this document cannot be interpreted to exclude embodiments of this document.

Each feature of the various embodiments of the present invention can be partially or fully combined or combined with each other, and as can be fully understood by those skilled in the art, various technical interconnections and operations are possible, and each embodiment may be implemented independently of each other. It may be possible to conduct them together due to a related relationship.

Hereinafter, various embodiments of the present invention will be described in detail with reference to the attached drawings.

1 is a schematic diagram of a data complete deletion system according to an embodiment of the present invention.

Referring to FIG. 1, the data complete deletion system includes a host 100 and a data storage device 200. The host 100 and the data storage device 200 may transmit and receive commands and/or data according to the interface 300.

The host 100 is not limited and is a device for performing the complete deletion method disclosed in this specification. In this specification, the term 'sanitization' means deleting data from a data storage device so that recovery is not possible using a logical method. Host 100 may include, for example, a server, general-purpose computer, laptop, network-attached storage, tablet device, smartphone, etc. The host 100 may include a plurality of distributed individual hosts that can collectively perform a complete deletion method. Additionally, the host 100 may be connected adjacent to or remotely connected to the data storage device 200.

The data storage device 200 is a storage device that includes memory that is subject to complete deletion. The data storage device 200 is not limited and includes hard disk type, flash memory type, multimedia card micro type, and card type memory (e.g., SD It is a data storage device including (or XD memory, etc.), self-encrypting drive (SED), etc. Additionally, the data storage device 200 may be connected adjacent to the host 100 or may be connected remotely.

The interface 300 can operate according to an interface standard that is supportable by the host 100 and the data storage device 200. Interface standards may include Advanced Technology Attachment (ATA), Small Computer System Interface (SCSI), and Non-Volatile Memory Express (NVMe). The ATA interface can be configured for hard disk types and flash memory types such as SSDs, the SCSI interface can be configured for hard disk types, etc., and the MVMe interface can be configured for flash memory types such as SSDs.

Figure 2 is a block diagram showing the configuration of a data complete deletion system according to an embodiment of the present invention. In Figure 2, the host 100 is adjacent to and connected to the data storage device 200.

Referring to FIG. 2, the host 100 includes a memory 110, a control unit 120, and a communication unit 130. The data storage device 200 includes a memory 210, a control unit 220, a communication unit 230, and firmware 240. Host 100 includes data storage device 200.

The memory 110 of the host 100 may store a data complete deletion application 111, etc. The memory 110 of the host 100 is distinguished from the memory 210 of the data storage device 200, which is subject to complete deletion. The memory 110 of the host 100 is not limited and may include flash memory type, hard disk type, multimedia card micro type, and card type memory (e.g. For example, SD or Read-Only Memory), magnetic memory, magnetic disk, optical disk, etc.

The memory 210 of the data storage device 200 is a memory subject to complete deletion, but is not limited to hard disk type, flash memory type, and multimedia card micro type. micro type), card-type memory (e.g. SD or XD memory, etc.), self-encrypting drive (SED), etc.

The data complete deletion application 111 is an application configured to execute the data complete deletion method disclosed in the present invention. The data complete deletion application 111 is generally stored in the memory of the host 110, but may also be stored in a removable storage device (eg, USB, optical disk, external hard drive, etc.) connected to the host 100.

The control unit 120 of the host 100 is operably connected to the memory 110 and the communication unit 130. The control unit 220 of the data storage device 200 is operably connected to the memory 210 and the communication unit 230. The control unit 120 of the host 100 and the control unit 220 of the data storage device 200 may control or perform operations related to the data complete deletion method disclosed in the present invention. The control unit 120 of the host 100 is a general-purpose processor (generic) capable of performing the corresponding operations by executing one or more software programs, such as a dedicated processor (e.g., embedded processor) and a data complete deletion application 111 stored in a memory device. -purpose processor) (e.g. CPU or application processor), etc. Hereinafter, the operations of the control unit 120 of the host 100 and the control unit 220 of the data storage device 200 will be briefly described.

The control unit 120 of the host 100 can perform the data complete deletion method disclosed in the present invention by executing the data complete deletion application 111. The control unit 120 may obtain information about the interface and firmware of the data storage device 200. The control unit 120 may determine a method of completely deleting data based on information about the interface and firmware. The control unit 120 can completely delete the data of the data storage device 200 using the determined data complete deletion method. The control unit 120 may determine whether encryption using TPM has been applied to the data storage device 200. The control unit 120 can delete the encryption key stored inside the TPM and used for encryption. The control unit 120 may check whether a pre-reserved area has been set in the data storage device 200. If a pre-reserved area is set, the control unit 120 may initialize the pre-reserved area. The control unit 120 may check whether the data storage device 200 is in a frozen state. When the data storage device 200 is in a frozen state, the control unit 120 commands the host 100 connected to the data storage device 200 to enter the S3 power saving state among ACPI levels and automatically wake up. You can. The control unit 120 may verify whether data in the data storage device 200 has been completely deleted. When it is verified that the data storage device 200 has been completely deleted, the control unit 120 may check whether the last performed (determined) data complete deletion method is the zero-fill method. If the last (determined) data complete deletion method is not a zero-fill method, the control unit 120 may perform a performance degradation prevention process based on information about the interface and firmware of the data storage device 200. . If it is verified that the data in the data storage device 200 has not been completely deleted, the control unit 120 may change the data complete deletion method.

The control unit 220 of the data storage device 200 may control the operation of the memory 210 through the firmware 240. For example, the control unit 220 of the data storage device 200 writes and/or overwrites data to the memory 210 or retrieves data from the memory 210 through the firmware 240. It can be erased.

The communication unit 130 of the host 100 and the communication unit 2230 of the data storage device 200 are configured to communicate with each other through the interface 300. The communication unit 130 of the host 100 and the communication unit 230 of the data storage device 200 are not limited, and are not limited to a wireless communication unit (e.g., a cellular communication unit, a short-range wireless communication unit, etc.) or a wired communication unit (e.g., LAN (local area network) communication unit, power line communication unit, data transmission line communication unit, etc.), and the corresponding communication unit may be used to communicate with physically/logically separated devices.

The firmware 240 is software included within the data storage device 200 and is configured to control the hardware operation of the data storage device 200. Specifically, the firmware 211 is configured to control the operation of the memory 210. The data storage device 200 may perform operations of storing and deleting data through the firmware 240. Depending on the type or version of the firmware 240, the function or performance of the data storage device 200 varies. In particular, depending on the type or version of the firmware 240, the applicable complete deletion method varies.

Figure 3 is a block diagram showing the configuration of a data complete deletion system according to another embodiment of the present invention. Referring to FIG. 3, the host 100 is located remotely to the data storage device 200, and the host 100 is connected online to the data storage device 200. The host 100 may command the data storage device 200 online to perform the data complete deletion method disclosed in the present invention.

Referring to FIG. 3, the host 100 includes a memory 110, a control unit 120, and a communication unit 130. The data storage device 200 includes a memory 210, a control unit 220, and a communication unit 230. The only difference between the embodiment of FIG. 3 and the embodiment of FIG. 2 is whether the host 100 and the data storage device 200 are located remotely.

Figure 4 is a block diagram showing a method for completely deleting data according to an embodiment of the present invention.

First, a step of obtaining information about the interface and firmware of the data storage device 100 is performed (S400). Information about the interface 300 and firmware 240 of the data storage device 100 includes the type of the interface 300 of the data storage device 200 and the type or version of the firmware 240 of the data storage device 200. do. The applicable complete deletion method varies depending on the type of interface 300 of the data storage device 200 and the type or version of the firmware 240 of the data storage device 200.

Specifically, in the ATA interface, Sanitize Block Erase, Cryptography Block Erase, Overwrite Block Erase, ATA Security Erase, and ATA Enhanced Security Erase are applicable as complete deletion methods. In the SCSI interface, Sanitize Block Erase, Cryptography Block Erase, Overwrite Block Erase, ATA Security Erase, and ATA Enhanced Security Erase are applicable as complete erase methods. In the NVMe interface, Sanitize Block Erase, Cryptography Block Erase, and Overwrite Block Erase can be applied as complete erasure methods. However, some complete deletion methods in each interface may not be applicable depending on the type or version of the firmware 211, and the above-mentioned complete deletion methods may be implemented or completely deleted depending on the manufacturer or type of complete deletion solution. There may be some differences in the names.

Below, the complete erasure methods (Sanitize Block Erase, Cryptography Block Erase, Overwrite Block Erase, ATA Security Erase, and ATA Enhanced Security Erase) used in this specification are defined.

Sanitize Block Erase completely deletes data from the data storage device 200 by deleting not only the information recorded in the mapping table of the data storage device 200 (hereinafter referred to as 'mapping data'), but also the information recorded in all blocks. It's a method. The mapping table is a table that maps the data stored in the data storage device 200 and the location of the stored data. Since Sanitize Block Erase corresponds to a zero-fill method, if the memory 210 of the data storage device 200 is a flash memory type such as a solid state drive (SSD), Sanitize Block Erase is used in the data storage device 200. All blocks in (200) are overwritten with zero. Specifically, Sanitize Block Erase erases data by applying high voltage to cells within NAND flash memory. The criterion that the applied voltage is high voltage means that the voltage is so high that the previous value cannot be inferred by comparing the charge amount of the cell before and after the application of the voltage. Unlike the high voltage applied in Sanitize Block Erase, in a general overwrite operation, although not a high voltage, enough voltage is applied to charge the cell above the threshold and logically determine it to be in a zero state. Accordingly, in a general overwrite operation, there is a possibility that the previous value can be inferred by precisely analyzing the charge amount of the cell before and after the application of voltage. Therefore, in a general overwrite operation, there is a possibility that data can be recovered using a logical method. do.

Cryptography Block Erase is a method of completely deleting data by encrypting the data of the data storage device 200 and deleting the encryption key.

Overwrite Block Erase is a method of completely erasing data from the data storage device 200 by overwriting all blocks of the data storage device 200 with a predetermined data pattern. In general, when all blocks of the data storage device 200 are overwritten more than twice, it takes a lot of time, but complete deletion of data from the data storage device 200 is guaranteed.

ATA Security Erase is a method of completely erasing data from the data storage device 200 by deleting information recorded in all blocks of the data storage device 200. Since ATA Security Erase corresponds to the zero-fill method, if the memory 210 of the data storage device 200 is a flash memory type such as SSD, ATA Security Erase zeroes all blocks of the data storage device 200. ) overwrite it.

ATA Enhanced Security Erase is a method of completely erasing data from the data storage device 200 by deleting mapping data and information recorded in all blocks of the data storage device 200. ATA Enhanced Security Erase completely deletes data from the data storage device 200 by overwriting all blocks of the data storage device 200 with a predetermined data pattern.

In various embodiments, the step of obtaining information about the interface and firmware of the data storage device (S410) may include checking whether encryption using a TPM (Trusted Platform Module) has been applied to the data storage device 200. You can. Encryption applied to the data storage device 200 includes, for example, BitLocker. However, the encryption using TPM below is not limited to this, and the same method applied to BitLocker can be applied to other methods. BitLocker is a data protection function using encryption. It protects data by encrypting data on the entire volume using the Bitlocker encryption key. BitLocker encryption can be integrated with the operating system to address the threat of data exposure or data theft from lost, stolen, or improperly decommissioned data storage devices 200.

When encryption using the TPM is applied, the method for completely deleting data disclosed in the present invention may include deleting the encryption key stored inside the TPM and used for encryption. For example, when BitLocker encryption using a TPM is applied, the method for completely deleting data disclosed in the present invention may include deleting the BitLocker encryption key stored inside the TPM and used for encryption. The BitLocker encryption key inside the TPM can be deleted using the Clear TPM command. If the BitLocker encryption key inside the TPM is deleted, decryption of data on the entire encrypted volume becomes impossible. Accordingly, complete deletion of data of the entire encrypted volume is possible. The steps for deleting the encryption key stored inside the TPM and used for encryption will be described later.

Based on the information about the interface and the firmware, a step of determining a method of completely deleting data is performed (S410). Specifically, based on the acquired information about the interface and firmware of the data storage device, a complete deletion method applicable to the data storage device is identified. If there are multiple applicable complete deletion methods, the complete deletion method to be performed is determined according to priority. The priority may be predetermined by the manufacturer or user of the data deletion application. Preferably, when at least one of Sanitize Block Erase and Cryptography Block Erase is applicable, at least one of Sanitize Block Erase and Cryptography Block Erase may be predetermined to be performed as first priority. If Overwrite Block Erase is applicable, it may be predetermined that Overwrite Block Erase is performed as a second priority. If at least one of ATA Security Erase and ATA Enhanced Security Erase is applicable, at least one of ATA Security Erase and ATA Enhanced Security Eras may be predetermined to be performed as a third priority. As described later, ATA Security Erase and ATA Enhanced Security Erase cannot be performed in a frozen state, and in particular, because ATA Security Erase is a legacy method, ATA Security Erase and ATA Enhanced Security Erase have low priority. . Accordingly, the complete deletion method according to the present invention corresponds to the interface and firmware to achieve more flexible and reliable complete deletion.

A step of completely deleting data in the data storage device is performed using the determined data complete deletion method (S420).

In various embodiments, the step of completely deleting data of the data storage device 200 includes checking whether a pre-reserved area is set in the data storage device, and if the pre-reserved area is set, the pre-reserved area It may include an initialization step. Whether a pre-reserved area is set is determined by checking whether there is a change in data that is different from the initial value set by the user, etc., rather than simply whether the pre-reserved area exists.

The pre-reserved area of the data storage device is an area that is generally inaccessible to users, and data may be preserved in this area even if the data storage device is formatted or deleted. Areas reserved in advance for data storage devices include HPA (Host Protected Area), DCO (Device Configuration Overlay), AMAC (Accessible Max Address Configuration), etc. Data can be stored in pre-reserved areas, and can be abused to hide data through rootkits, etc., and can also be exploited for anti-forensics. Therefore, when a reserved area is set in advance, complete data deletion with very high reliability can be achieved through the initialization step.

The step of initializing at least one of the pre-reserved areas HPA, DCO, and AMAC cannot be performed when the data storage device 200 is in a frozen state. For example, when the system connected to the data storage device 200 boots with the OS stored on the removable storage device, the data storage device 200 may be in a frozen state. In this specification, the frozen state of the data storage device 200 includes an ATA Security Frozen state. A step is performed to check whether at least one of the pre-reserved areas HPA, DCO, and AMAC is set, and if at least one of the pre-reserved areas HPA, DCO, and AMAC is set, the data storage device 200 is frozen. A step is performed to check whether the status is present or not. When the frozen state is confirmed, the step of initializing at least one of HPA, DCO, and AMAC among the pre-reserved areas is an operation to release the frozen state, and the host 100 connected to the data storage device 200 is at one of the ACPI levels. An additional step of entering the S3 (Suspend to Ram) sleeping state and automatically waking up may be included. Accordingly, the host 100 connected to the data storage device 200 enters the S3 sleep state and automatically wakes up, thereby releasing the frozen state. The data storage device 200 (or a system connected to the data storage device 200) may use an RTC Alarm as a wake option to automatically wake up. Additionally, ATA Security Erase and ATA Enhanced Security Erase applicable to ATA and SCSI interfaces cannot be performed when the data storage device 200 is in a frozen state. Therefore, the step of initializing at least one of HPA, DCO, and AMAC among the pre-reserved areas is not only required to additionally secure the reliability of complete erasure, but is also necessary to perform at least one of ATA Security Erase and ATA Enhanced Security Erase. .

In order to release the frozen state, the user must physically unplug not only the power cable but also the data cable of the data storage device 200 and then reconnect the power cable and data cable. Accordingly, this method may not be possible if the user is remotely located at the data storage device 200. However, in the complete deletion method disclosed in the present invention, the step of initializing at least one of HPA, DCO, and AMAC among the preset areas is performed when the host 100 connected to the data storage device 200 in the frozen state is in the S3 power saving state among ACPI levels. It includes the step of commanding the device to enter and automatically wake up. Since these steps can be performed online through the communication unit 130 of the host 100, in the complete deletion method disclosed in the present invention, these steps are performed even when the user is remotely located in the data storage device 200. , the frozen state of the data storage device can be released. As a result, the step of commanding the host 100 connected to the data storage device 200 in a frozen state to enter the S3 sleep state among ACPI levels and automatically wake up is performed without the user physically accessing the data storage device 200. Furthermore, it is possible to perform the data complete deletion method disclosed in the present invention on a plurality of data storage devices 200 located remotely through one host 100.

In various embodiments, the step of completely deleting the data of the data storage device 200 includes, when BitLocker encryption using a TPM is applied to the data storage device 200, the BitLocker encryption key stored inside the TPM and used for encryption. A deletion step may be further included. At this time, the step of deleting the BitLocker encryption key stored inside the TPM and used for encryption may be performed before performing the determined data complete deletion method. If the BitLocker encryption key has been backed up, it may be possible to restore data even if the BitLocker encryption key is deleted. Nevertheless, deleting the BitLocker encryption key from the TPM before performing the determined data sanitization method is generally recommended, as deleting the BitLocker encryption key is performed relatively faster than other determined data sanitization methods. Even if the entire sanitization process (which performs both the deleting method and the determined sanitization method) is maliciously or accidentally interrupted, the BitLocker encryption key backed up from the TPM has already been deleted, so data from the user device 200 is initially deleted fairly quickly. This is because it can be completely deleted. In addition, after the determined complete deletion method is performed secondarily, the completely deleted data cannot be restored even through the backed-up BitLocker encryption key, so deleting the BitLocker encryption key before performing the determined data complete deletion method is necessary. Compared to methods that perform the opposite order or a single determined data sanitization method, it makes it possible to achieve very high stability against malicious or accidental interruption and very high reliability of data sanitization.

In various embodiments, the method of completely deleting data may further include verifying whether the data of the data storage device 200 has been completely deleted. Specifically, the step of verifying whether data has been completely deleted is (i) before performing the determined complete deletion method, logically dividing the entire area of the data storage device 200 into subsections, and dividing a specific number of subsections according to the verification ratio. Sample the subsection (i.e., sampling before performing the determined complete deletion method), store the hash value of the sampled subsection in a suitable location such as the memory 110 of the host 100, and (ii) perform the determined complete deletion method. After performing the process, compare the hash values of the sampled subsections before and after performing the determined complete deletion method. As a result of comparing the hash values, if even one value is the same, it is determined that the data of the data storage device 200 has not been completely deleted.

Depending on the result of verifying whether the data of the data storage device 200 has been completely deleted, (i) if it is verified that it has not been completely deleted, a step of changing the data complete deletion method may be further performed, and (ii) If it is verified that it has been completely deleted, a further step may be performed to check whether the last completely deleted data method was the zero-fill method. The step of changing the data complete deletion method is to select one of the remaining complete deletion method(s) when there are multiple determined complete deletion methods using the same method as the step of determining the complete deletion method described above (S410). , includes a decision step.

According to the results of confirming whether the determined data complete deletion method is a zero-fill method, (i) if the determined data complete deletion method is a zero-fill method, the sampled subsection is overwritten with zero after performing the determined data complete deletion method. A step of checking whether the data is completely deleted may be further performed, and (ii) if the determined data complete deletion method is not a zero-fill method, a step of performing a performance degradation prevention process may be further included. The step of performing the performance degradation prevention process includes checking whether the performance degradation prevention process is possible based on information about the interface and firmware of the data storage device 200. The performance degradation prevention process includes the step of completely deleting data in the data storage device 200 using a zero-fill data complete deletion method. In the case of a flash memory type such as SSD, the process to prevent performance degradation can be performed using at least one of Sanitize Block Erase and ATA Security Erase. To prevent performance degradation, using at least one of the zero-fill methods of Sanitize Block Erase and ATA Security Erase is necessary because, in the case of NAND flash memory, writing is performed in units of page size and these pages may be overwritten. Because it is not possible. In NAND flash memory, writing can be performed only when all blocks included in the page are erased and the page becomes free. If data has already been written (randomly), the page is marked as stale, and in order to write, the entire block containing the page must be deleted. Accordingly, an immediate drop in performance for writing occurs in NAND flash memory. By using at least one of the zero-fill methods of Sanitize Block Erase and ATA Security Erase, all blocks in NAND flash memory are overwritten with zero, and writing is performed immediately without a preceding erase process that frees the page. This prevents performance degradation.

Figure 5 is a block diagram showing a step (S420) of completely deleting data from a data storage device in a data complete deletion method combining various embodiments of the present invention.

Referring to FIG. 5, a step (S500) is performed to first check whether at least one of the pre-reserved areas HPA, DCO, and AMAC is set. When it is confirmed that at least one of the preset areas HPA, DCO, and AMAC is set, it is checked whether the data storage device 200 is in a frozen state (S501). When the data storage device 200 is in a frozen state, a step is performed to command the host 100 connected to the data storage device 200 to enter the S3 sleep state among ACPI levels and automatically wake up ( S502). If the data storage device 200 is not in a frozen state, a step of initializing a preset area is performed (503).

If it is not confirmed that at least one of the preset areas HPA, DCO, and AMAC is set, sampling is performed before performing the determined complete deletion method (to verify complete deletion after performing the determined complete deletion method) (S510) . A case in which it is not confirmed that at least one of the preset areas HPA, DCO, and AMAC is set also includes a case in which at least one of the preset areas HPA, DCO, and AMAC does not exist. In addition, even after the step of initializing the preset area (503) is performed, sampling is performed before performing the determined complete deletion method (S510).

After sampling, when BitLocker encryption using the TPM is applied to the data storage device 200, a step of deleting the BitLocker encryption key stored inside the TPM and used for encryption is performed (S520). After deleting the BitLocker encryption key, the (determined) complete deletion method is performed (S530).

Next, after the (determined) complete deletion method is performed, a step of verifying whether the data of the data storage device 200 has been completely deleted is performed (S540). If it is verified that the data storage device 200 has not been completely deleted, a step of changing the data complete deletion method is performed (S541).

When it is verified that the data storage device 200 has been completely deleted, a step is performed to check whether the last completely deleted data method was the zero-fill method (S550). If the last data complete deletion method performed is the zero-fill method, the step of completely deleting data from the data storage device ends. If the last data complete deletion method performed is not the zero-fill method, at least one of Sanitize Block Erase and ATA Security Erase is applied as a performance degradation prevention process based on information about the interface and firmware of the data storage device 200. A step is performed to check if it is possible (S551). If at least one of Sanitize Block Erase and ATA Security Erase is applicable, at least one of Sanitize Block Erase and ATA Security Erase is performed (S552). If at least one of Sanitize Block Erase and ATA Security Erase is not applicable, the step of completely deleting data on the data storage device ends.

Although embodiments of the present invention have been described in more detail with reference to the accompanying drawings, the present invention is not necessarily limited to these embodiments, and may be modified and implemented in various ways without departing from the technical spirit of the present invention. there is. Accordingly, the embodiments disclosed in the present invention are not intended to limit the technical idea of the present invention, but are for illustrative purposes, and the scope of the technical idea of the present invention is not limited by these embodiments. Therefore, the embodiments described above should be understood in all respects as illustrative and not restrictive. The scope of protection of the present invention should be interpreted in accordance with the claims below, and all technical ideas within the equivalent scope should be construed as being included in the scope of rights of the present invention.

100: host
110: memory
111: Data complete deletion application
120: control unit
130: Department of Communications
200: data storage device
210: memory
220: control unit
230: Department of Communications
240: Firmware
300: interface

Claims (13)

Obtaining information about the interface and firmware of the data storage device;
determining a method of completely deleting data based on information about the interface and the firmware;
Completely deleting data from the data storage device using a determined data complete deletion method;
Verifying whether the data in the data storage device has been completely deleted;
When it is verified that the data of the data storage device has been completely deleted, confirming whether the determined data complete deletion method is a zero-fill method;
If the determined data complete deletion method is a zero-fill method, checking whether the sampled subsection is overwritten with zero after performing the determined complete deletion method; and
If the determined data complete deletion method is not the zero-fill method, performing a performance degradation prevention process. According to claim 1,
Obtaining information about the interface and the firmware of the data storage device includes checking whether encryption using a Trusted Platform Module (TPM) has been applied to the data storage device. According to claim 2,
When the encryption using the TPM is applied, the step of completely deleting the data of the data storage device includes deleting an encryption key stored inside the TPM and used for the encryption. . According to claim 1,
The step of completely deleting the data of the data storage device includes checking whether a pre-reserved area is set in the data storage device. According to claim 4,
When the pre-reserved area is set in the data storage device, the step of completely deleting the data of the data storage device includes initializing the pre-reserved area. According to claim 5,
The step of initializing the pre-reserved area includes commanding the host connected to the data storage device to enter the S3 sleep state among ACPI levels and automatically wake up when the data storage device is in a frozen state. Including, how to completely delete data. delete delete delete According to claim 1,
The performing of the method for preventing performance degradation includes completely deleting the data of the data storage device using the zero-fill data complete deletion method. According to claim 10,
The zero-fill method of completely deleting data includes at least one of Sanitize Block Erase and ATA Security Erase. According to claim 1,
When it is verified that the data of the data storage device has not been completely deleted, the method of completely deleting data further includes the step of changing the method of completely deleting data. A device for completely deleting data from a data storage device,
a communication unit configured to communicate with a data storage device;
a memory configured to store a data erasure application; and
A control unit operable connected to the communication unit and the memory,
The control unit,
Obtain information about the interface and firmware of the data storage device,
Based on information about the interface and the firmware, determine a method of completely deleting data,
Using the determined data complete deletion method, completely delete the data in the data storage device,
Verify whether the data in the data storage device has been completely deleted,
When it is verified that the data of the data storage device has been completely deleted, confirm whether the determined data complete deletion method is a zero-fill method,
If the determined data complete deletion method is a zero-fill method, check whether the sampled subsection is overwritten with zero after performing the determined complete deletion method, and
An apparatus configured to perform a performance degradation prevention process when the determined data complete deletion method is not the zero-fill method.