[zaroth]

I don’t think that’s how it works. With these drives the AES encryption is always being done by dedicated hardware on the drive, but by default the key is just a random value stored in NVRAM.

When you do a “secure erase”, the drive will internally regenerate a new key and overwrite it in its NVRAM. Crucially, the algorithm must be securely random and the old key must be reliably overwritten. But if those conditions are met - presto! Everything on the drive that was written with the old key is now unreadable and entirely unrecoverable.

If you actually want to “lock” the drive, the key would be generated by a KDF from the password, the one saved in NVRAM would not be used.

It’s more complicated than that, if you want to support enabling a password without wiping the drive. That would involve encrypting/decrypting a stored key with the password. But either way you can definitely secure erase a modern unlocked drive, if you trust the implementation!