Recently I had an SSD fail and am attempting to do a data recovery. The data recovery company tells us that it is complicated because the build-in drive controller uses encryption.
I presume this to mean that when it writes data to the memory chips it stores it in an encrypted format on the chips.
If this is true, why on earth would they do that?
The SSD does this by storing the encryption key in plaintext. When you set an ATA disk password (Samsung calls this Class 0 security), the SSD uses it to encrypt the key itself, so you'll need to enter the password to unlock the drive. This secures the data on the drive without having to erase the entire contents of the drive or overwrite all data on the drive with an encrypted version.
Having all the data encrypted on the drive also brings another perk: the ability to effectively erase it instantly. By simply changing or deleting the encryption key, all data on the drive will be rendered unreadable, without having to overwrite the entire drive. Some newer Seagate hard drives (including several newer consumer drives) implement this feature as Instant Secure Erase.1
Because modern hardware encryption engines are so fast and efficient, there is no real performance advantage to disabling it. As such, many newer SSDs (and some hard drives) have always-on encryption. In fact, most newer WD external hard drives have always-on hardware encryption.
1In response to some comments: This may not be entirely secure considering that governments may be able to decrypt AES within the near future. It is, however, generally sufficient for most consumers and for businesses who are trying to reuse old drives.
It is a beautiful utterly elegant hack used to save on wear on the disk. Scrambling/randomising data on MLC drives also improves reliabilty on smaller process sizes - see this paper and these two referenced patents (here and here, and encrypted data is essentially random (thanks to alex.forencich for digging that up in the comments). In a sense AES encryption works the same way as the LSFR used to randomise data on a non encrypted ssd, only faster, better and simpler.
This class of drive is known as self encrypting drives, and quite a few modern SSDs are built like this. Essentially, encryption is relatively 'cheap', and allows you to store data scrambled on a SSD (some drives do this without encryption to improve reliability anyway). If you need to format it? just make the data inaccessible until the space is needed by discarding the key. It's done at the firmware level, and is decrypted on the fly. This also helps save on wear since data is spread out in the process.
Unless you set an HDD security password in bios, or set some other type of supported security/encryption option, all this prevents someone from doing is desoldering your NAND chips and reading them elsewhere, or putting in a new controller and getting your data out - see this AnandTech review of the Intel 320. Of course, when your drive dies, and if it's the controller, that's exactly what a recovery service would end up doing. Unless they could somehow recover the encryption keys from where its stored, (firmware?) and transfer it, it's probably impossible.
In short, encryption increases the lifespan of your disk, and makes it 'faster' when deleting files.
For security reasons! SSDs store the data scrambled all over the place and on different flash chips. Because flash can break, they all have more storage space than advertised and useable.
Now assume you have top secret information on your disk unencrypted. You now decide that's a stupid idea and encrypt the whole drive.
But you can't encrypt the whole drive. The SSD just shows you 16GB of space, while it has 20GB internal (in reality, the additional space is less). You encrypt all of the 16GB, but inside the drive there are still 4GB and you have no way to know what's stored there. Maybe one flash chip is even partially defective and the drive will never touch it again. A data thief could still directly read data from that.
Another reason is to allow fast data destruction. If you have to erase a 1TB SSD with 400MB/s, that will take 42 minutes. If you want to remote-wipe your SSD in a stolen laptop, in this 42m the thief will see that something is wrong and cut the power. For the same reason, most newer smartphones are encrypted by default, even if you don't need any pin.
Wiping a encrypted SSD/phone works by just wiping the 128bit (or 256bit) key. After that, all the data is worthless.. This takes less than a second.
