I have an SSD that can do self-encryption, but the encryption was not activated. The SSD has data on it, and now I want to enable the self-encryption functionality, preferably doing it in-place. I want to know what will happen to the data on the drive.
From this Archlinux article on SED:
In fact, in drives featuring FDE, data is always encrypted with the DEK when stored to disk, even if there is no password set (e.g. a new drive). [...] This can be thought of as all drives by default having a zero-length password that transparently encrypts/decrypts the data always (similar to how passwordless ssh keys provide (somewhat) secure access without user intervention).
It seems from the above paragraph that even without setting a password or enabling the encryption feature of the drive, the data would still be encrypted with the drive's DEK (albeit without an AK). By setting a password, I'm only changing the encryption to the DEK and therefore, the old data, even if it stays around due to wear-leveling, is encrypted and there's no threat of leakage. Is this interpretation correct? Or is the only way to avoid data remanence in this case is to do a secure erase prior to enabling encryption?