[osigurdson]

>> but I know consumer SSDs come with encryption permanently enabled in the firmware

Where is the encryption key? It seems that it must be in the firmware itself. Presumably it would be possible to find this with enough effort.

[ckozlowski]

The key is stored in KMS, not on the drive firmware. You can read more about how this is done here, in the section at the bottom about "Isolation of Physical Hosts" https://docs.aws.amazon.com/kms/latest/developerguide/concep...

But in short, the key is kept in memory on the HSM, and employees don't have access to it. They key can be referenced, but not actually read.

It also means that if a user accidentally deletes their key, there's no recovery. That's it. (Pro tip: Deleting a key is a faster mechanism to make data unreadable than deleting the data itself. ;)

Disclaimer: I'm an S-TAM with AWS.

[flaviut]

2 ways I know this works:

- the drive can request the key on each boot - the drive stores the key in the firmware, but part of the de-provisioning process would be to reset this key

[attentive]

add "failed to reset the key" to the top commenter's list of things to fail.