Comment by archagon
3 months ago
I believe many enterprise drives have instant-erase functionality (presumably deleting an encryption key).
3 months ago
I believe many enterprise drives have instant-erase functionality (presumably deleting an encryption key).
If they were encrypted to begin with, yes. Many are not.
A drive that supports Secure Instant Erase should be encrypting all data. When the SEI function is invoked (“nvme format -s 2”, “hdparm —-security-erase”) they key is thrown away and replaced with a new one. Similar implementations exist for NVMe, SATA, and SAS drives — regardless of whether they are HDD or SSD.
This puts a fair amount of trust and in the drive’s ability to really delete the old key.
I was under the impression that these drives may be transparently encrypted by default. (Rollable encryption key in hardware, invisible to end-user.)