SH wrote:
The solution to all of this is full disc encryption. Without the password
the disc is full of random noise.

Yes, Windows comes with Bitlocker. I am curious to know what the CPU
overhead is for decrypting on the fly the encrypted data on said drive?

That will depend on your hardware (does it have AES instructions, does the
drive handle encryption).

Is Bitlocker considered to be a FDE?

Yes.

Thats interesting to know, why is FDE used on SSDs? I don't see it
advertised as a feature on the advertising blurb so it gives one the
impression that one needs to deploy FDE....

It's an 'enterprisey' feature but I don't know whether it's standard on
every SSD. It's pretty minimal overhead to do in the controller so I don't
see why not.

However it's a slightly different use case to Bitlocker et al. Bitlocker
protects user data, while drive encryption protects the drive. For example
you might want to keep an unencrypted recovery partition so you can restore
the machine if you forget the password - with drive encryption you can't do
that unless it allows you to mark off that partition as unencrypted.

Deleting the key is not the same thing as securely erasing the key with
an overwrite so my question is can the "deleted" key be recovered?

No, in the firmware a delete is a delete. It will be overwritten with
zeroes, end of story. You might be able to dig out some faint traces with
an electron microscope, but that's serious paranoia (and million dollar)
time.

Also SSD's use wear levelling so an overwrite may end up on a physically
different location on the flash NAND chips?

Drive encryption/Secure Erase is handled in the drive firmware, and I would
be very surprised if the firmware was dumb enough not to take account of the
wear levelling the firmware itself is doing.

Theo