I thought secure erase worked by zapping all the sectors to 0 value, hence the warnings often given it will increment erase cycle by one doing it. Does it work differently now then by preserving the data and just wiping the key?
Secure Erase on most SSDs (the ones that support encryption) just throws away the encryption key. The data is still on the drive, but it's just complete garbage.
I may not have stated this properly before but the encryption key is internal to the drive and is automatically generated. The encryption is completely transparent so while any access goes through the encryption from the user point of view you're looking at an unencrypted drive. You can also move the drive to another PC and it still works as intended.
However, if the current encryption key is overwritten (which is what Secure Erase does in *this* context) all data on the drive is lost. Technically, it's still there but good luck making any sense of it at all. It's just a collection of random bits.
I believe, if the drive supports encryption using the TCG Opal standard an external source can manage the key, which is how the hardware-based version of BitLocker works. Of course, then you can no longer just move the drive to another PC. You need to somehow move the key with it.
As for good old HDDs, some of the server-grade ones also do support a mechanism as explained above. They're usually referred to as SEDs (self-encrypting drives). Those can also be erased by simply ditching the key. With normal HDDs you still have to overwrite the data to erase them. I believe the DOD Wipe specs state several overwrites using different bit patterns.
EDIT: Just read the article linked above. It explains things a lot better than I did.
www.techpowerup.com
