When we remove critical data from our embedded devices using standard means, the data doesn’t fully disappear. Specific actions need to be taken to ensure sensitive data is not just hanging around on the device, waiting to be plundered. One of the best ways to protect that data is by properly erasing it when it is no longer needed.
Understanding NAND-based secure data removal
We spoke recently about this vital process of securely removing data, specifically from NAND-based media. Secure erase isn’t the only way to protect your embedded device data, but it is one of the most effective. Encryption and encoding are also good tools to use for secure data at rest. However, when a design falls into the wrong hands, these methods are insufficient to protect that data forever – it is better to have the data removed when it is no longer required. There is no lasting security through obscurity.
The truth is that with securely erasing NAND-based media, things are not like they were in the past with older media. This is simply a more challenging process than with older magnetic designs, which we described in our earlier blog post for comparison purposes. Ultimately, removing secure data is a process of connected steps, and the best designs involve information from the flash media, file system, and application vendors.
Tuxera has represented each of those roles. During the conference, I touched briefly on our software controller for raw flash media, FlashFX Tera. In this blog post I’d like to describe in more detail some of the steps taken to securely remove data at that level, including the specific tools and methods involved.
Tidying things up with garbage collection
We start by dealing with copies of secure data on the device. Since NAND cannot be modified in place, these copies are left over from copy-on-write commands, wear leveling, and other performance shortcuts. These obsolete copies are removed through a process known as compaction or garbage collection, occurring after the file system notifies the flash media controller that the data in question is no longer in use. FlashFX Tera has an API to request a compaction, similar to the Sanitize API provided by eMMC and UFS media.
From an application level, the process would look like this. Secure data is created on the media. Then, when that data needs to be modified, the application can “overwrite” that existing data. Although the NAND media will not physically overwrite the data pages, it will automatically mark the previous page as ready to be erased. The API can then be called to compact the erase block, resulting in only a single copy of the secure data.
Discards and trims to finish the job
For proper protection, the secure data file then needs to be completely removed. This can be done by overwriting it all first, but the better method is using the file system discard or trim command instead. Following that, a normal compaction (or an immediate one triggered by the API) will remove the last remnant of that secure data from the media. At last, our data is fully erased from our device – it’s safe.
Whitepaper: Keep device data safe with secure erase
Keeping your embedded device data safe and secure is a detailed topic. For more information, download our whitepaper. Read the abstract below:
Removing data securely from flash media is more challenging than older magnetic designs. The software and firmware must work in unison to provide secure solutions that are increasingly in demand. In this paper, we detail the secure interface from the application to the media and point out the possible pitfalls along the way.
Let’s talk more about safeguarding your data on embedded devices.