It's not protected until one sets up a password.
What's the point of the encryption? Which is what I'm not getting.
It is not very clear. I found this
article, which states the following tidbits:
Because of their on-board key management, general conformance to TCG Opal 2.0 or Enterprise, and use of the NIST's Advanced Encryption Standard (AES), SEDs are some of the most secure and widely available forms of data at rest protection available on the market today.
Encryption of data "at rest" is mentioned in every cybersecurity questionnaire I've seen. Although it is definitely confusing when you try to zero on on exactly what that means. An SED drive encrypts data as it is written, then decrypts it as it is read by the OS or software.
This article describes it this way:
Data at rest is data that is not actively moving from device to device or network to network such as data stored on a hard drive, laptop, flash drive, or archived/stored in some other way.
Ok, so data "just sitting there" on the drive not being used or moved/copied somewhere (which is "Data in motion").
Since an SED drive decrypts the data when it is used by the OS or software, then I am with you that I don't quite understand the value of encrypting data "at rest", because the mere act of accessing that data decrypts it! I do not understand what type of event encrypting data "at rest" is protecting against. Maybe someone else will explain it to me.
The article also says:
SEDs are considered a secure form of data at rest protection, but there's one glaring caveat to that statement: users need to set a unique password on their SEDs to have them lock when they're powered off.
So, this one I understand. That places password protection on accessing any data from the drive. You have to put it in when you boot the machine or it won't boot. If you take the drive out of the machine, then the data cannot be accessed without the password. This one makes sense. However if you do this and you DON'T shut your computer off, then the data is still accessible - it seems to me anyway. So the highest security depends on the user - the computer should be off whenever it isn't being used. As long as you are willing to give up that security, then SED drives work just like non-SED drives that have had bitlocker enabled when the drive is removed from the machine.
So it THAT is true (SED drive = Non-SED drive w/bitlocker), then why get an SED drive? That leads us back to point #1, "In order to obtain
encryption at-rest". And why would you want that? I guess so you can check the "Yes" box on that cyber-security questionnaire.
I have a financial advisor client whose broker-dealer requires SED drives to use their software. I went through this whole thing trying to understand what that really got them, but I still don't really know. If someone can tell me what event encrypting data "at rest" is meant to prevent or protect against, then I would understand better.
Edit: I suppose in this case, requiring SED drives removes the user's ability to take the encryption off (like they could do by disabling bitlocker) so it could just be about that - preventing stupid human tricks.
Don't get me started on encrypting data "in motion". That's even thornier.
