I have a Latitude e5540 and use the HDD-0 password to encrypt the data on my HDD. So it can still not be read if put in any other PC. Now I want to replace the HDD but keep the data protection. Therefore I have 2 questions
1) Is the encryption of the HDD data done on/by the HDD itself? So I need a special HDD which is capable of encrypting the data (in combination with HDD-0).
2) Can I replace the HDD with any other HDD and keep the HDD-0 password encryption of the HDD data? Or is the data not encrypted anymore when changing the HDD.
First, one correction: You absolutely CAN move that HDD into another PC and access the data, as long as the new PC knows how to prompt for an HDD password at boot.
Next, a clarification: Not every hard drive that allows a password to be specified actually encrypts the data when a password is enabled. Some do, but hard drive passwords existed long before encryption did.
But IF your hard drive is encrypting its contents based on the hard drive password, then yes the encryption would be done by the drive itself, which is why another PC would know how to read it as long as it knew how to prompt for an HDD password.
In terms of your question about replacing drives, once the data leaves the HDD, it is no longer encrypted, so if you wanted it to be encrypted on a new HDD, you would have to enable encryption on the new HDD. Some people choose to enable encryption before they even put anything on the drive, but even if you do it after the fact, the drive will still ensure all of the contents are encrypted, not just contents that are written after the encryption is enabled.
Thank for your answer!
So if I'm understanding you right. The HDD-0 password in the bios of my Latitude passes that password to the HDD. If the HDD is not able to encrypt it will do nothing otherwise it will encrypt if the HDD is capable off.
E.g. If I have a Samsung EVO 850 HDD which is a SED which can use class 0 mode (256bit AES). I plug in this new HDD and create in the bios the HDD-0 password the data will be protected (without password no recovery possible even in other PCs)?
This all is very nice to hear! I could not find the info especially about the link between the HOO-0 password and drive (different bios manufacturers and drives).
Form you second last mail I concluded that the encryption key on the HDD was fixed by the manufacture. That means that the manufacturer can always read the data (but only them).
Seen from your last mail I conclude that I can better first make a secure erase so the encryption key is not default (so unknown to anyone) anymore (although the drive is set to factory default (factory default does not mean encryption key default)).
I don't think the Class 0 encryption spec defines how the encryption key that the SSD uses internally must be derived or whether running a Secure Erase resets it. Yes, knowing that key would allow decrypting the data without knowing the password, so technically it's possible that the manufacturer could be able to read the data if they knew that key and that key was still in use, but I seriously doubt they keep even the key that ships by default. Lots of companies specifically do NOT want to have that capability because if they CAN decrypt it, then government authorities and such can get subpoenas to force them to do so, and that would be bad for public relations. After all, if the public knew that Samsung could decrypt the data of anyone using a Samsung SSD with encryption support, I suspect lots of people would stop using Samsung products. But if on the other hand Samsung truly isn't able to decrypt the data, then they can just say that.
But yes, if you're highly security conscious, you can perform a Secure Erase using Samsung's tools, which would have to reset that key.