A secure storage device includes a physical key input device, a secure memory and a controller. The controller arbitrates access by a host to securely configure the device based on the device's mode of operation. The controller determines whether the device is in a configuration-ready mode based on information within the device. Only when the device is in the configuration-ready mode, the device may be configured by the host. When a device is in a non-configuration-ready mode, the device is prevented from being configured by the host, but the device can be set to the configuration-ready mode, for example, by nullifying configuration data (e.g., PINs), by creating new encryption key(s), and by setting the mode to the configuration-ready mode. A null PIN is unusable to unlock the device after being locked. A new encryption key is unusable to decrypt data previously stored in the device, making such data unrecoverable.