[JaRail]

The 8 char password does not decrypt the key; it unlocks/retrieves it. The drive will only allow a fixed number of attempts. Once past the 10 or whatever allowed attempts, an attacker needs to brute force the full encryption key. It should be a very similar scheme to what you get with a modern smartphone, such as a new iPhone. (Not one of the older iphones the FBI cracked recently, a new one with a Secure Enclave.)

[na85]

What stops the attacker from just imaging the drive in its encrypted state and continuing to run attacks on the 8 char password well in excess of 10 attempts?

[jcrawfordor]

The drive controller does not allow you to read the encrypted form of the data out. This kind of drive-encryption is the same as the common ATA lock command (implemented in your BIOS and the drive controller), but the drive controller actually encrypts the data as well as just refusing to work without being unlocked first.

[wepple]

This relates to my "does depend on how it's actually implemented in hardware, however." comment.

This can be implemented in secure hardware (and without getting into attacks against that), you can make a password attempt, but can't modify the counter which tracks how many incorrect attempts have been made. Sufficient incorrect attempts will see the key material destroyed.