If you do not set a so-called "Key Encryption Key (KEK)," the drive will not appear to be encrypted, even though it actually is. There is a "Media Encryption Key (MEK)" which is used to drive the actual encryption hardware on the drive, and this key is always applied.
A drive can therefore be rendered useless by deleting the MEK, which is much faster (and, more secure) than "data-wiping."
Unfortunately, there are "flies in the ointment." If you remove (steal) a drive that has been in-service, without allowing it to power-down, it might remain unlocked. (For example.) But these are mostly edge-cases which presume a determined opponent. (The situations that you're most likely to encounter, unless the Law has become very-interested in you for some reason, are merely opportunists.)
The very clear advantage of this technology is that it is built-in to the drive hardware, not performed by software. Thus it does not slow down the drive. If you do employ an unlock-password, you really do get good protection without a performance hit. And that can be a very important thing for road-warriors, for hospitals who must comply with HIPAA regulations, and so on. Any "software based" solution is much, much more cumbersome and fragile.
In a similar vein, many disk controllers provide this capability, as well, giving hardware-level performance to an array of storage devices without pushing the task to the devices themselves: very handy if you've got a lot of them.
Last edited by sundialsvcs; 12-15-2017 at 08:20 AM.
|