Re: That was a serious breath of fresh nerdiness
"Encryption has to come out of the factory enabled"
This is generally fine as long as it makes me set the key. If it uses one set at the factory and simply encrypts that key with the password I supply, that's not acceptable.
"with no way to turn it off"
Not acceptable. I may want to turn it off. If I know enough about how it works to do that, I probably have a reason. For example, if I want people to be able to remove the disk and read it on something else, encryption would completely remove that option. If I want people to be able to boot another disk on it, which isn't encrypted with a key known by the remaining components or at all, the user couldn't do that either.
"and be hardware assisted so there is neglible impact on performance."
That's already the case. Nearly every disk encryption solution uses AES, and nearly every modern processor used in a computer has AES acceleration in hardware. Ask the many people, myself included, doing all their work on devices with full disk encryption. It's fine from a performance standpoint.
"Even myself as an expert am extremely leery of enabling encryption on a device which shipped with no crypto because I know the device would have to reimage and migrate all the data to get to that state."
You're worried that a device will have to be reimaged? Do you know how often that happens? It happens on large upgrades (Windows and Mac, not Linux most of the time). It happens when a disk gets replaced. It happens if a backup is restored. It should happen every time a device changes hands. It is the first step after a company gets a device from somewhere else as they'll apply the corporate image. And it happens when the disk gets encrypted. If you're encrypting the right way, and I'm sure as an expert you would, all the disk has on it at the time of encryption is a basic OS image with the encryption software if that wasn't already included. If for some reason it fails, which doesn't really happen unless you cut power or something, reimage and reencrypt. It'll work fine the next time.
What you're really getting when you ask for this is a device that is stuck with the original factory image, and because you've asked for "no way to turn it off", can't ever be replaced, for any reason. And that's terrible from a security perspective, even if that image and user data is encrypted.
Biting the hand that feeds IT
