I did discover a workaround to the issue that the BIOS does not resubmit the Opal key to the drive when resuming from suspend: the Linux kernel can actually do it itself by means of the IOC_OPAL_SAVE ioctl that was added in Linux 4.11. However, sedutil-cli has not yet been updated to support the new ioctl, so either you have to apply this PR to sedutil, or you can use Michal Gawlik’s sed-opal-unlocker:
# sed-opal-unlocker s3save /dev/disk/by-id/nvme-WD_BLACK_SN850X_*_1 /dev/stdin <<<'opensesame'
Arrange for the above command (substituting your drive’s device path and password) to be run during your system boot, and Linux will hold your password in RAM and resubmit it to the drive when resuming from suspend.
Big caveat: This works only for Opal drives. The WD_BLACK SN770M supports the old ATA security lock (NVMe protocol 0xEF) but not Opal, so if you have set a storage password on it in the BIOS, then I still know of no way of auto-unlocking it when resuming from suspend. I ended up removing the passwords from my SN770M since I am only using it for dmcrypt-swap and non-sensitive scratch/cache space.