By John Geldman, Kioxia and Jim Hatfield, Seagate
The Sanitize operation is a very useful tool for SSDs as it is used to eliminate information on a device that may contain personal data or confidential information. Elimination of personal information is important when returning or re-purposing an SSD. NVM Express® (NVMe®) Sanitize commands were initially developed to provide a technology that would erase all storage capacity on a given device.
Sanitize affects everything that is currently user data, was user data, or could be user data.
Since this can be a time-consuming process, certain measures were implemented to ensure a private and successful process. For example, when an NVMe Sanitize operation begins, the device will return errors on read/write commands until the operation is complete. A power cycle or reset will not stop the automated operation of NVMe Sanitize: it automatically resumes until the sanitize operation is complete.
As industry and member feedback filtered in, the NVM Express technical work groups responded with explanations of complications that affect sanitize operations, which we will examine more closely. These NVMe Sanitize evolutions include Hidden Storage (Overprovisioning), Integrity Checks and No-Deallocation.
Hidden Storage (Overprovisioning)
Sanitize operations impact all physical storage designed to hold user data. NVMe SSDs typically include more physical storage than is addressable through the interface and this hidden storage capacity is often referred to as overprovisioning. Overprovisioning is used for vendor specific purposes that may include the offering of increasing endurance, improved performance and the providing of extra blocks to allow retiring bad or worn-out storage without affecting capacity. This additional capacity, as well as any retired storage, is not accessible through the interface. The additional capacity supports advantages to the end user and can be customized to address vendor-specific needs, but the lack of observability makes it difficult to ensure that all storage within the device has been affected. In this scenario, only the accessible storage can be audited for the results of a sanitization operation. <stopping here: the next line starts an area that needs significant rework>To address these issues, new NVMe technology implemented integrity checks (specification revision 1.3) and no-deallocate after sanitize (specification revision 1.4).
Integrity Checks and No-Deallocate After Sanitize
The Sanitize command introduced in NVM Express specification revision 1.3, included a mechanism to specify that sanitized addressable storage not be deallocated, thereby allowing observations of the results of the sanitization operation. However, some architectures and products (e.g., integrity checking circuitry) interact with this capability in such a way as to defeat the sanitize result observability purpose. New features were added to NVM Express Revision 1.4 that include extended information about the sanitization capabilities of devices, a new asynchronous event and configuration of the response to No-Deallocate After Sanitize requests. These features are intended to both support new systems that understand the new capabilities, as well to help manage legacy systems that do not understand the new capabilities without losing the ability to sanitize as requested.
NVMe technology provides the industry with beneficial alternatives to many of the most common issues facing Sanitization operations. Ultimately, these solutions ensure a smoother process and enable an increased understanding of what happens when the operation is finished, so that analytics may be assessed accurately, and precise details can be included.