Table of contents Up Previous Next Glossary Home   Hidden part of container  


What is a Hidden Part?


BestCrypt creates virtual drives on your computer. All data to be written to the virtual drive are placed into the container in encrypted form. The encryption algorithms used in BestCrypt are reliable, and the container cannot be decrypted without knowing the correspondent password.

But under some circumstances the user may be forced to open up the password for his container. So sometimes people may be inclined to hide the information about whether the containers on their computers exist or not.

There are a variety of methods for hiding sensitive data inside graphic or sound files so that it would be impossible to define if the original files keep an extra information inside them. That method is known as steganography. Unfortunately, holding the encrypted containers disquised as image or sound files implies some drawbacks:

  • degradation of the system performance due to a lot of useless data to be read from the original files in extracting encryption information;
  • an original file has to be 2-4 times larger than the encrypted container hidden inside it. If you create a 100 MB container, you must have a 200-400 MB sound file.
  • extremely large graphic or sound files (hundreds Megabytes) available excite your potential intruder's unnecessary curiosity.
So what can we do? Let us imagine that we use steganography but we hide the encrypted containers inside BestCrypt containers themselves rather than inside graphic files. Now we'll get two kinds of containers: original and hidden (which are stored inside the original containers). Using this kind of steganography, BestCrypt will work much better because:
  • performance of the hidden containers is the same as of the original ones;
  • hiding containers will require not so much additional disk space;
  • your potential intruder having got your passwords is facing an utter frustration thanks to impossibility to define if the original container has something else inside it.


How Do the Hidden and Original Containers Work?


A BestCrypt original container file consists of three parts:

  1. the first 512 bytes containing the data required to verify integrity of the file;
  2. Key Data Block that stores the array of encryption keys. Key Data Block is encrypted by a hash calculated from the user's password. One of the keys in the array is used for encrypting/decrypting the user's data;
  3. encrypted data.

When mounting the original container, BestCrypt verifies its integrity using part 1 of the container. Then it calculates a hash according to the password and uses the hash for decrypting the encryption key from the Key Data Block. The software uses the key for providing transparent encryption of data in part 3 of the container.

If you create a hidden part inside the container, BestCrypt creates a new encryption key for it and stores it in the Key Data Block of the original container. The place where the key for the hidden part is stored remains to be marked as unused, so it is impossible to define if the key exists or not. Besides, unused elements in the Block itself are always initialized by random data. So, replacing some random data with a new randomly generated key does not compromise the hidden part. The hidden part is stored inside part 3 of the original container without its own Key Data Block, so it's impossible to define the borders of the hidden part inside the original container.

The mounting procedure for the container with the hidden part included is almost the same as for usual containers. The only difference is that only original part's filesystem type is written to container's header. Thus when mounting hidden part you should specify filesystem type explicitly.

NOTE: Pay attention to this message: if it does not appear, the hidden part is not mounted!




  1. Use different passwords for the original container and the hidden part inside it! If the passwords are the same, BestCrypt will always mount the original container.
  2. You may write some data to the original container before creating the hidden part. But if your container already has the hidden part inside it, DON'T WRITE ANYTHING TO THE ORIGINAL CONTAINER!! When BestCrypt is mounting the original container, it has no information about its hidden part! IF YOU DO IT, ITS HIDDEN PART MAY BE DAMAGED! The BestCrypt software is designed in such a manner according to a security reason. Otherwise, your potential intruder having got the password for your original container could use debugging tools to define if there is a hidden part inside the container.
  3. CONTAINERS WITH HIDDEN PART SHOULD NOT BE REENCRYPTED. Reencryption will destroy hidden part. If you really need to change encryption key please create new container and copy all the data manually.
  4. If you create the hidden part, it means that the data stored inside the original container has no meaning and exists only for only reason - to disguise the information stored in the hidden part. In this case, you should avoid mounting of the original container.


Security advice


As it follows from the section "Precautions", it would be useful to treat the password for the original container as an "Alarm" password. It means it must not be entered until you has opened up your password.

Using the term "Alarm" also means that you should use this password only if you have consciously decided to mount the original container and write some data into it to destroy the hidden part of the container. Some ability to destroy the hidden part of the container may be useful only when there is any real threat for security of your data.

  Table of contents Up Previous Next Glossary Home   Top