A drive that supports Secure Instant Erase should be encrypting all data. When the SEI function is invoked (“nvme format -s 2”, “hdparm —-security-erase”) they key is thrown away and replaced with a new one. Similar implementations exist for NVMe, SATA, and SAS drives — regardless of whether they are HDD or SSD.

This puts a fair amount of trust and in the drive’s ability to really delete the old key.

I was under the impression that these drives may be transparently encrypted by default. (Rollable encryption key in hardware, invisible to end-user.)