Enabling SED for SSD and data remanence

Question

I have an SSD that can do self-encryption, but the encryption was not activated. The SSD has data on it, and now I want to enable the self-encryption functionality, preferably doing it in-place. I want to know what will happen to the data on the drive.

From this Archlinux article on SED:

In fact, in drives featuring FDE, data is always encrypted with the DEK when stored to disk, even if there is no password set (e.g. a new drive). [...] This can be thought of as all drives by default having a zero-length password that transparently encrypts/decrypts the data always (similar to how passwordless ssh keys provide (somewhat) secure access without user intervention).

It seems from the above paragraph that even without setting a password or enabling the encryption feature of the drive, the data would still be encrypted with the drive's DEK (albeit without an AK). By setting a password, I'm only changing the encryption to the DEK and therefore, the old data, even if it stays around due to wear-leveling, is encrypted and there's no threat of leakage. Is this interpretation correct? Or is the only way to avoid data remanence in this case is to do a secure erase prior to enabling encryption?

Answer 1

Yes, your interpretation is correct.

Now, if you suspect that the drive might have been compromised while it was not password protected, you could do a secure erase, which essentially means generating a new DEK, rendering all the previous data unreadable.
By "compromised" I mean that the DEK, not being encrypted by a password, was somehow extracted from the drive, and the attacker could use it later to decrypt the drive's contents even after you set a password (store the DEK encrypted on the drive, but still use the same DEK). This kind of attack might not be easy, as you can imagine.

So depending on the sensitivity of the data, and the trustworthiness of the drive, you should choose whether to just set an encryption password ("do it in-place") or do a secure erase (generate new DEK), set a password (encrypt the DEK), and then copy over your data from a backup.