BestCrypt Container Encryption FAQ
Using BestCrypt Container Encryption
BestCrypt creates and supports encrypted logical disks. These BestCrypt disks are visible as regular disks with corresponding drive letters (for example, D:, K:, Z:, i.e. with any drive letter that is not used by other system devices). The data stored on a BestCrypt disk is stored in the container file. A container is a file, so it is possible to backup a container, move or copy it to other disk (CD/DVD, network, etc) and continue to access your encrypted data using BestCrypt. Any free drive letter in the system may be used to mount and to open an encrypted file-container for access. When the virtual disk is opened, you can read and write data as if it was a conventional removable disk.
Yes. An encrypted file-container is an ordinary file and you can back up and restore it like any other file on your computer.
Having CD Writer, you may use two types of disks: CD/DVD-R disks that allow writing files to disks once only, and CD/DVD-RW disks that allow multiply writing.
BestCrypt can work with both types of disks, but because of the nature of the disks, the ways of storing encrypted data on them are different.
You can write container file to CD/DVD-R disk once only and then mount the container in read-only mode. You won't be able to write new files to virtual drive which is mounted as read-only device. So we can use encrypted containers on CD/DVD-R disks in the following way.
Create container file on your *hard drive* so that its size does not exceed the size of your CD/DVD disk . Then you should mount the container and write all files you want to encrypt to the mounted virtual drive. Then (and it is important) dismount the container and burn it to CD/DVD-R disk.
To copy the container you should use a standard software for your CD Writer, i.e. copy containers as if they were usual files. Now, as soon as you insert CD/DVD disk, drive letter, corresponding to the device, will appear in BC Control Panel and you can mount containers, stored on the disk as read-only virtual drives.
As for CD/DVD-RW disks - you can create BestCrypt containers, mount and write files to them in the same way as you work with containers on hard drives. I.e. insert CD/DVD-RW disk to CD/DVD-ROM, run BC Control Panel and create container on CD/DVD-RW disk, mount it and write files to the mounted virtual drive.
Then you can mount containers stored on CD/DVD-RW disk as virtual drive with full (read/write) access. Of course, the way to write containers from hard drives (i.e. the way we use for CD/DVD-R) will work for CD/DVD-RW disks too.
Unfortunately, nothing can be done here. If you lose you password, there is no any way to decrypt your data back. This is so because of the following reasons:
a. BestCrypt products use strong encryption algorithms. There are no any known ways to break the algorithms, except the brute-force attack. But even if you can combine all computing power in the world for a brute-force attack, it will require many billions years to break a 256-bit key algorithm.
b. We didn't insert any "back (or trap) doors" to the BestCrypt software that would allow recovering the information about the password. Our government does not bind us to insert any "backdoors" to our products, and we ourselves strongly believe that only an owner of data should decide who is allowed to access it.
You can run any disk utility on BestCrypt drives exactly in the same way as you run the utility on other regular drives.
It is safe to run defrag utility on BestCrypt volumes, but if you are going to run the utility on the hard drive where BestCrypt containers are stored, it is strongly recommended to dismount the containers (if they are mounted) before running the utility.
Besides, if you want the container file to be defragmented like any other files, you have to disable Container Guard Utility. If it is active, it won't allow defragment utility to move parts of the container file.
BestCrypt container is an usual file for the operating system, therefore all procedures available for the files are also available for the BestCrypt containers. So, it is possible to send container as an attachment.
However, it is not a convenient way, because (1) you will have to report your password to your recipient somehow and (2) your recipient has to have the BestCrypt software installed on his/her computer.
Instead, you should use our BCArchive utility to send encrypted information via e-mail. Besides password based encryption, BCArchive supports encryption with public/secret keys and has a convenient interface for sending the archives by email : after installation of BCArchive pop-up menu for file/folder contains new command "encrypt by public key and send". Additionally, BCArchive can make self-extracting archives so that your recipient will be able to open the archive even if his/her computer has not BCArchive installed.
There are two ways of opening a container stored on a remote computer (let's consider it as a server).
1. If BestCrypt is installed on server, one can mount a container on the server (the option "Mount for all users" must be set) and then share the logical disk in network for a group of users. In this case, all users will have full access to the container, but the data transfers through network in opened form.
2. If BestCrypt is installed on user' workstation, the user can mount container, stored on remote Server. In this case, only one user can mount the container in full read/write mode. If some other user tries to mount the same container at the same time, he/she will get 'read-only' access to the container file. In this case the data transfers through network in encrypted form, BestCrypt decrypts the data on the 'client' workstation.
Security and Performance
Every BestCrypt container is encrypted using unique randomly generated key. The key is stored inside container in encrypted form. The key is encrypted by hash value that is generated from password for the container (a hash algorithm SHA-1, SHA256, MD5 or RIPEMD-160 is used here). Hence, BestCrypt does not store password anywhere on disk - neither inside container nor at other place.
No, the feature of opening a container-file on another computer does not make BestCrypt unsafe.
What happens when you mount a container, stored on a remote computer? After entering your password, BestCrypt calculates a hash from it, and destroys the password from its buffers (software does not need to remember it anymore).
Then BestCrypt reads the encrypted key from the container file (doesn't matter whether the container is remote or not) and decrypts the key using the hash value.
After decrypting, BestCrypt verifies that the key is suitable for the container, and destroys the hash from its buffers (BestCrypt does not need it anymore).
The key is placed to the low-level memory of BestCrypt driver *locally* on your computer, and uses it for further encrypt/decrypt operations on the local computer.
As you see, first, BestCrypt doesn't need to store the password - the software just verifies if some password is suitable or not. Second, even if your container is stored on another computer, all encrypt/decrypt operations are performed on your local computer. So no one can intercept decrypted parts of the container by monitoring network connections.
Yes, in Windows password can be intercepted when you type it. At this time some virus-like residential program can intercept your password and save it on disk. To prevent this kind of attack BestCrypt contains a special utility named Keyboad Filter. When BestCrypt Keyboard Filter is active, keyboard monitoring programs get random keystrokes instead of a real password. Even if your password is "aaaaaa", it will be intercepted and replaced with a random string, and every time you enter the same "aaaaaa" passwords, intercepted string will be different.
There may be two possible configurations on your computer at the moment when you are accessing the Internet resources (when the risk of unauthorized access to your data appears):
First, if you have the BestCrypt container mounted - at this moment the BC logical drive looks like any other regular drives on your computer. For instance, all disk utilities could not find the difference between BestCrypt drives and usual hard drives. Therefore, if some Java applet loads on your computer at this moment, it potentially able to access the data located on the BestCrypt drive. You should use a firewall software for full protection.
Second, if all of your BestCrypt containers aren't mounted. In this configuration all your data stored in the encrypted container are absolutely inaccessible for viewing by any tools. Even if the BC container is stolen by hackers using network, they won't be able to decrypt the data, because of the strong encryption algorithms implemented in BestCrypt software.
Yes, we are aware of companies that provide such services. These programs (password-guessing modules) use Dictionary, or Brute-Force (or some combined) attack on BestCrypt or any other password-based software.
If someone uses a regular word, phrase, name or something else that can be in the dictionary, a guessing module will define the password quickly. Since we began working on BestCrypt, we have always strongly recommended using password strings that are as random as possible. As some theoretical papers say, a 20-letter English phrase, instead of having 20 x 8 = 160 bits of randomness, has only about 20 x 2 = 40 bits (8 bytes) of randomness. For example, the word "jtBL1@cpheR!*>" is not an English word or phrase and its randomness is much higher than in the passphrase "In God We Trust".
If your password consists of random characters, a length of about 30 characters would be so secure that even dsitant future computational power won't allow intruders to define your password. More practically, passwords of 12-15 random characters are very strong.
BestCrypt v.8 allows users to create a backup copy of a container's header and to remove (wipe) the original header from the container file. The copy must be stored in a safe place, such as on a removable device. Without the header, it is absolutely impossible to access data inside the container, because the header stores the encryption key for the data. Password-guessing modules are not able to attack such "headless" containers.
After publishing the Cold Boot Attacks on Encryption Keys article updated versions of BestCrypt v.8.04 and BestCrypt Volume Encryption v.1.99 were released on February 28, 2008 to prevent the attack as much as it is possible for software solution.
The article describes how RAM (Random Access Memory) can be investigated to extract encryption keys when computer is in one of the following states: normal operation, hibernate mode, sleep mode, turned off, locked by screen saver, crashed. The following functions are implemented in BestCrypt software to minimize the risk of the attack:
1. BestCrypt dismounts virtual drives upon shutdown, restart or logoff. When BestCrypt software dismounts virtual drives, it always shreds (wipes) encryption keys in memory (the functionality is available in earlier BestCrypt versions too).
2. System crash. Upon hard system failures Windows writes memory contents to crash dump file.
BestCrypt detects system crash. Special module wipes virtual drives' encryption keys before Windows starts writing the dump file. So these keys won't appear in crash dump file.
BestCrypt Volume encryption keys are processed in different way. BestCrypt Volume has Secure Hibernating feature - it encrypts the contents of hibernate and crash dump files. Thus sensitive data will be encrypted on the disk.
Note that the Hibernate and Crash Dump files are encrypted only if the boot/system partition is encrypted.
When Windows finishes writing dump file, BestCrypt Volume wipes its encryption keys. So, it is impossible to extract the key from RAM after system crash.
3. Hibernate mode.
When computer goes into Hibernate mode, encryption keys of BestCrypt virtual drives are stored in the hibernate file. The best solution is to encrypt boot/system partition using BestCrypt Volume.
We strictly discourage leaving virtual drives mounted when computer goes into Hibernate mode if your boot/system partition is not encrypted.
BestCrypt Volume's Secure Hibernate feature effectively protects encryption keys stored in hibernate file.
After Windows completes writing hibernate file BestCrypt Volume wipes all encryption keys in RAM, including encryption keys of BestCrypt virtual drives.
4. Shutdown and Restart.
BestCrypt Volume detects shutdown or restart events and wipes encryption keys after Windows finishes flushing all its cache buffers.
5. Sleep and Screen Saver Locking modes. When the computer works in these modes, BestCrypt does not dismount its virtual drives.
BestCrypt Volume must do not dismount encrypted boot/system partition because Windows actively uses it. If an adversary powers down the computer, he/she will be able to inspect RAM memory as it is described in the "Cold Boot Attacks on Encryption Keys" article.
As a countermeasure to the attack we created "Alarm Crash Hotkey" option in BestCrypt Volume Encryption. The option allows the user to assign a hotkey combination that will force the system to crash in emergency.
Alarm Crash Hotkey notes:
a. Alarm Crash Hotkey works in all computer states - whether the user logged on or not, when the computer is locked by screen saver and even when computer is in sleep mode. (Regular hotkeys installed by Windows applications work only when the user is logged on.)
The user can press the hotkey when Windows boots and the computer will be crashed. For example, the user has already entered password for boot/system partition, but threat of the attack appears when Windows is not loaded yet.
Sure, the user could power down the computer, but only Alarm Crash Hotkey can guarantee encryption keys removal from memory.
b. Alarm Crash Hotkey can be set/changed by Administrator only, but any person who is aware of the hotkey can press it to avoid the attack.
To protect your system against the attack described in the Cold Boot Attacks on Encryption Keys article, we would recommend the following in practice:
1. Encrypt boot/system partition with BestCrypt Volume.
2. Do not leave your computer alone with encrypted data opened for access in Sleep mode or locked by Screen Saver.
3. Set Alarm Crash Hotkey and use it in case of emergency if someone attempts to power down your computer.
In all other cases (shutdown or restarting computer, crashing Windows, hibernating), BestCrypt and BestCrypt Volume securely manage encryption keys stored in RAM.
BestCrypt and Operating System Limitations
BestCrypt version 8 supports the following operating systems:
* Windows 7 32-bit, 64-bit
* Windows Vista 32-bit, 64-bit
* Windows XP 32-bit, 64-bit
* Windows 2008 Server (not for BestCrypt Enterprise)
* Windows 2003 Server
* Windows 2000
* Windows NT version 4.0 (Workstation or Server)
* Windows 9x
* Windows ME
* Linux 2.2.x
* Linux 2.4.x
* Linux 2.6.x
Windows 2000/NT/2003 Server/XP/XP x64/Vista:
Maximum size of a container is limited to 2 TB for NTFS, 4 GB for FAT32, and 2 GB for FAT16 formatted volumes.
Maximum size of a container is 4 GB for FAT32 and 2 GB for FAT16 formatted volumes.
Old Linux distributions have 2 GB file size limit; newer distributions (RedHat 7.0+, SuSE 7.0+, Debian 3.0+) break this limit. See also BestCrypt for Linux Online Documentation.
The format of containers used in BestCrypt for Linux is compatible with containers created by v.6 (and above) of BestCrypt for Windows.
Yes, it is possible, but please remember about the limitation for Linux - the operating system does not support files larger than 2 GB (although in Windows 2000/XP/Vista it is possible to create much larger files on NTFS partitions). It means that container files should be not larger than 2 GB, if you want to use them both in Linux and Windows.
Currently BestCrypt does not provide the function for changing size of container. It is not so easy to resize container, we mean that this operation lasts long and is dangerous enough, because BestCrypt has to re-build the filesystem structures inside the container. If we insert the journalizing of this process (and other features to make the process absolutely safe) it will require a lot of a disk space - may be the space equal to the size of container.
When we compare the idea of the safe process of changing the size of container - we began to think that the most reliable, safe (and clear for user) way to change the size is to create new container and copy all needed files there. It is an obvious and the most simple way, but at the same time it looks like the most reliable way.
If "User Account Control" functionality of Vista is enabled, each process works in "user mode" or in "admin mode". Sometimes Vista asks you to confirm your admin rights, that means that the process is "elevated" to admin mode. Although you have admin rights on the computer, BestCrypt usually works in user mode. Windows Vista does not allow writing to the root folder and some system subfolders in user mode.
There are three solutions to this problem:
1. Move the container to another location (non-system subfolder) and create containers on a non-system subfolder.
2. Run BestCrypt Control Panel in administrative mode ("run as administrator").
3. Disable User Account Control in Vista Control Panel.
A BestCrypt container file, like a regular drive, consists of the 512-bytes sectors. The sectors in container are accessed independently, so if some sectors become damaged, BestCrypt driver will be able to read and properly decrypt other sectors. By the way, if you get few bytes damaged on your hard drive, consequences will be the same - the operating system will mark one of 512-byte physical sector on the hard drive as a bad sector.
A problem will appear if the damage occurs in the first part of container file (header, about 4 Kb), where the encryption key is stored. Although the software performs some efforts on backing up the information, probability of the accident exists. It is like a case of damaging first part of your regular hard drive, where partition tables as well as filesystem structures are stored.
To indemnify yourself against the loss of data you should create backup copies of all your containers. Even if you make backup copy once only, part of the container where encryption key is stored will be saved, hence, risk of losing the whole container disappears.
The message 'Undefined Key Generator Error ' or "Key generator ID is defined" appears in the following cases:
1. When some module in BestCrypt Key Generator has been corrupted.
2. If an older version of BestCrypt is used to open a container created with SHA-256 key generator (available in version 7.12 or later).
3. If an older version of BestCrypt is used to open a container created with KG-Ghost key generator (available in version 8.0 or later).
(Please note that containers created by an older version are always compatible with future versions, but not vice versa.)
Installing the newest version will help to solve this problem.
Usually it is Windows Explorer, which may be responsible for the problem. It does not free some handles, even if you close all files. If you reset Explorer after closing all files, the message won't appear. You may try to close Explorer using Windows Task Manager and then start it again ("New Task" button) and then try dismounting again - just to check.
There is a way of "Force Dismount": you should create a batch file, which can be run with shortcut key. The batch file will contain a command to dismount all BestCrypt containers (or one of them).
Contents of the batch file (alarm.bat, for example) will look like:
start BestCrypt.exe CloseAll Anyway
You may create a shortcut for the file and put it on your desktop or set a Hot Key for running the batch file.
BestCrypt reports that the file is not a valid BestCrypt container, when making just the first simple check of signatures at first 512 bytes of the container file.
If you have a backup copy of the container's header, you should restore the header from it. Using BestCrypt v8, it is possible to do so with 'Restore header from backup copy' command. If you are running Bestcrypt version 7, you should contact Jetico Technical Support and we will help you to restore the container.
If you do not have a backup copy of the header, it is nearly impossible to restore the container. However, you should contact Jetico Technical Support, as each case is resolved individually.
You should turn off the 'READ ONLY' checkbox in 'MOUNT CONTAINER' dialog.