Just learning the subject. It appears self encryption drive (SED) are very common and purchased and used by customers who are unaware that the drive self-encrypts regardless of whether or not the user wants self-encryption.
As I understand, powering on and off determines the default key for encryption which becomes dependent of an (ATA) password if the user decides to master/use the encryption but I have not been able to find and understand how files can still be available to the user without the use of this ATA password within regular power-off/power-on when, as I understand, the key can be regenerated.

This seems to me to be important enough to understand if I want to take advantage of SED SSD.

Can someone point to info explaining this particular point?

Thank you for your help.

If you do not set a so-called "Key Encryption Key (KEK)," the drive will not appear to be encrypted, even though it actually is. There is a "Media Encryption Key (MEK)" which is used to drive the actual encryption hardware on the drive, and this key is always applied.

A drive can therefore be rendered useless by deleting the MEK, which is much faster (and, more secure) than "data-wiping."

Unfortunately, there are "flies in the ointment." If you remove (steal) a drive that has been in-service, without allowing it to power-down, it might remain unlocked. (For example.) But these are mostly edge-cases which presume a determined opponent. (The situations that you're most likely to encounter, unless the Law has become very-interested in you for some reason, are merely opportunists.)

The very clear advantage of this technology is that it is built-in to the drive hardware, not performed by software. Thus it does not slow down the drive. If you do employ an unlock-password, you really do get good protection without a performance hit. And that can be a very important thing for road-warriors, for hospitals who must comply with HIPAA regulations, and so on. Any "software based" solution is much, much more cumbersome and fragile.

In a similar vein, many disk controllers provide this capability, as well, giving hardware-level performance to an array of storage devices without pushing the task to the devices themselves: very handy if you've got a lot of them.

1 members found this post helpful.