Hello,
I know the WD my passorts are AES encrypted and I have decrypted them after a PCB swap but one things puzzels me a bit.

I am aware that you can use a util to set a password but I had never a drive with the password set.

What sence does have that encryption when I am able to plug the HDD in every PC and I can copy the data as I want? So in case someone would steal a my passport drive the data is not protected but in case of a data recovery the lab need to perform some extra steps or buy tools (e.g. unlock pcb) to get the data...

That make no sence to me - so do the clients just don't get the way they should use the my passports, are they all dumb and don't even know the my passports are encrypted or is there any other reason for having a my passport / full hardware encryption over another drive then "just" securing the data in the drive from unauthorized access?

I just don't get why so many pay some extra money for a feature they finally don't use...

When encryption is properly implemented, each encrypted drive ships with a unique key. This key is stored somewhere on the drive, either in an SA module or in a hidden sector within the user area. If this key is lost or intentionally deleted, the data become gibberish. This means that an encrypted drive can be securely erased in a split second simply by throwing away all copies of the original key and then generating a new key. This is how cryptoerase works and is particularly advantageous for SSDs. The alternative for ordinary HDDs is to zero-fill every sector. In the case of SSDs, this would consume another P/E cycle, thus increasing wear and tear.

To protect one's data on an ordinary HDD requires setting a password which then needs to be stored somewhere on the drive. If this password is defeated, the non-encrypted data are immediately accessible. An encrypted HDD, OTOH, uses the password to encrypt the key, and this encrypted key then replaces the original key. Ideally the original key should be discarded. This means that the user must supply the correct password in order for the drive to be able to regenerate the original key.

Therefore the advantages are :

1/ Instant cryptoerase by deleting the key
2/ The key is encrypted by the password
3/ Neither the password nor the original key are retained by the drive
4/ The correct password is required to decrypt the key

_________________
A backup a day keeps DR away.

i would argue with that, an ssd can be erased rather fast, no need to zerofill all the blocks, on the contrary, they just need to be erased to FF value and the translator initialized. This can be done in a few seconds. (and this is done anyway if a block is reused, or after trim for example)
The main advantage of the above scenario is that when the user sets up a pwd, the key is just encrypted with a hash of the pwd, no need to re-encrypt the whole user area. So the encryption-decryption is done without user pw if it is not set up but once the user sets it up, it is used to decrypt the disk encryption key.

pepe

_________________
Adatmentés - Data recovery