BestCrypt Container Encryption FAQ
Using BestCrypt Container Encryption
BestCrypt creates and supports encrypted logical disks. These BestCrypt disks are visible as regular disks with corresponding drive letters (for example, D:, K:, Z:, i.e. with any drive letter that is not used by other system devices). The data stored on a BestCrypt disk is stored in the container file. A container is a file, so it is possible to backup a container, move or copy it to other disk (USB, network, etc.) and continue to access your encrypted data using BestCrypt. Any free drive letter in the system may be used to mount and to open an encrypted file-container for access. When the virtual disk is opened, you can read and write data as if it was a conventional disk.
Yes. An encrypted file-container is an ordinary file and you can back up and restore it like any other file on your computer.
Encrypted file-container, just like regular files can get corrupted so it is always good to have a backup of it.
Backing up with standard backup utilities:
- Encrypted Backup If is recommended to configure your backup utility to take the file when its 'Date modified' is changed. For BestCrypt Container Encryption it will mean that the container is dismounted. NOTE: When a container file is backed up, it should be in dismounted state.
- Unencrypted Backup Configure the backup utility to back up files that are stored inside container instead of container file.
Backing up container to a cloud:
- Encrypted Backup To backup a BestCrypt container to DropBox or another cloud service, you should do the following: 1. Create a regular JBC container and locate it on your DropBox directory that is synchronized with cloud. 2. Dismount the container when you finish working it. 3. Dropbox will synchronize the change. NOTE: To share this container, you have to provide the other user with the password.
- Unencrypted Backup 1. Create a folder on BC virtual drive (i.e. on mounted container) 2. Share it on Dropbox
Unfortunately, nothing can be done here. If you lose you password, there is no any way to decrypt your data back. This is so because of the following reasons:
a. BestCrypt products use strong encryption algorithms. There are no any known ways to break the algorithms, except the brute-force attack. But even if you can combine all computing power in the world for a brute-force attack, it will require many billions years to break a 256-bit key algorithm.
b. We didn't insert any "back (or trap) doors" to the BestCrypt software that would allow recovering the information about the password. Our government does not bind us to insert any "backdoors" to our products, and we ourselves strongly believe that only an owner of data should decide who is allowed to access it.
You can run any disk utility on BestCrypt drives exactly in the same way as you run the utility on other regular drives.
It is safe to run defrag utility on BestCrypt volumes, but if you are going to run the utility on the hard drive where BestCrypt containers are stored, it is strongly recommended to dismount the containers (if they are mounted) before running the utility.
Besides, if you want the container file to be defragmented like any other files, you have to disable Container Guard Utility. If it is active, it won't allow defragment utility to move parts of the container file.
BestCrypt container is an usual file for the operating system, therefore all procedures available for the files are also available for the BestCrypt containers. So, it is possible to send container as an attachment.
However, it is not a convenient way, because (1) you will have to report your password to your recipient somehow and (2) your recipient has to have the BestCrypt software installed on his/her computer.
Instead, you should use our BCArchive utility to send encrypted information via e-mail. Besides password based encryption, BCArchive supports encryption with public/secret keys and has a convenient interface for sending the archives by email : after installation of BCArchive pop-up menu for file/folder contains new command "encrypt by public key and send". Additionally, BCArchive can make self-extracting archives so that your recipient will be able to open the archive even if his/her computer has not BCArchive installed.
There are two ways of opening a container stored on a remote computer (let's consider it as a server).
1. If BestCrypt is installed on server, one can mount a container on the server (the option "Mount for all users" must be set) and then share the logical disk in network for a group of users. In this case, all users will have full access to the container, but the data transfers through network in opened form.
2. If BestCrypt is installed on user' workstation, the user can mount container, stored on remote Server. In this case, only one user can mount the container in full read/write mode. If some other user tries to mount the same container at the same time, he/she will get 'read-only' access to the container file. In this case the data transfers through network in encrypted form, BestCrypt decrypts the data on the 'client' workstation.
Containers encrypted by TrueCrypt can be replaced by BestCrypt Container Encryption.
To replace TrueCrypt with BestCrypt: 1. Download the latest version of the BestCrypt package from Jetico official website:
- BestCrypt for Windows https://www.jetico.com/bcryptSetup.exe
- BestCrypt for Mac http://www.jetico.com/BestCrypt.dmg
- BestCrypt for Linux https://www.jetico.com/linux/BestCrypt-2.0-4.tar.gz
2. Install the program on your PC with all add-ons by running bcryptSetup.exe. 3. Run the BestCrypt Control Panel. 4. Create a new container by selecting 'New' in the 'Container' menu:
- Define the file name, location, size and encryption properties in the dialog window
- Enter and confirm the password
- Follow the instructions on the screen
5. Copy all data from the mounted TrueCrypt container to the new BestCrypt container. 6. To dismount a BestCrypt Container, right-click on the container and select 'Dismount'. To mount a BestCrypt container, double-click the container in the BestCrypt Control Panel or in Windows Explorer.
If you need to replace a system drive or a non-system drive encrypted by TrueCrypt, click here.
Security and Performance
Every BestCrypt container is encrypted using randomly generated keys. The key is encrypted and stored inside the container. The key is encrypted with a hash value that is generated from a password for the container (a hash algorithm - SHA-256, SHA-512, Whirlpool, Skein - is used here). Hence, BestCrypt does not store passwords anywhere on the disk - neither inside the container any other place.
There are two ways to do so. Either you can create a dynamic container, or you can create a regular container with the option 'Randomize disk space in the background' selected. The randomizing process is needed for complete security and it takes the long time. If the option is set, the randomizing process is launched automatically in the background, when the container is mounted. It is completed to about 95% of allocated space being overwritten so as to avoid overfilling.
Windows passwords can be intercepted when you type them. At that moment some virus-like residential program can intercept your password and save it onto the disk. To prevent this kind of attack, BestCrypt contains a special utility called Anti-Keylogger. When Anti-Keylogger is active, keyboard monitoring programs get random keystrokes instead of a real password. Even if your password is "aaaaaa", it will be intercepted and replaced with a random string. Every time you enter the same "aaaaaa" password, the intercepted string will be different.
There may be two possible configurations on your computer at the moment when you are accessing the Internet resources (when the risk of unauthorized access to your data appears):
First, if you have the BestCrypt container mounted - at this moment the BC logical drive looks like any other regular drives on your computer. For instance, all disk utilities could not find the difference between BestCrypt drives and usual hard drives. Therefore, if some Java applet loads on your computer at this moment, it potentially able to access the data located on the BestCrypt drive. You should use a firewall software for full protection.
Second, if all of your BestCrypt containers aren't mounted. In this configuration all your data stored in the encrypted container are absolutely inaccessible for viewing by any tools. Even if the BC container is stolen by hackers using network, they won't be able to decrypt the data, because of the strong encryption algorithms implemented in BestCrypt software.
If someone uses a regular word, phrase, name, or something else that is in the dictionary, these programs will discover the password quickly. Since we began working on BestCrypt, we have strongly recommended using password strings that are as random as possible. A 20-letter English phrase, instead of having 20 x 8 = 160 bits of randomness, has only about 20 x 2 = 40 bits (8 bytes) of randomness. For example, the word "jtBL1@cpheR!*>" is not an English word or phrase and its randomness is much higher than in the passphrase "In God We Trust".
If your password consists of random characters, a length of about 30 characters would be so secure that even won't allow intruders to define your password. More practically, passwords of 12-15 random characters are very strong.
Refer to the article for recommendations on how to create and remember a good password: ‘Open Sesame!’ – Is Your Password So Easy To Guess?
BestCrypt includes the following features to protect users from Brute-Force/Dictionary attack:
After publishing the Cold Boot Attacks on Encryption Keys article updated versions of BestCrypt v.8.04 and BestCrypt Volume Encryption v.1.99 were released on February 28, 2008 to prevent the attack as much as it is possible for software solution.
The article describes how RAM (Random Access Memory) can be investigated to extract encryption keys when computer is in one of the following states: normal operation, hibernate mode, sleep mode, turned off, locked by screen saver, crashed. The following functions are implemented in BestCrypt software to minimize the risk of the attack:
1. BestCrypt dismounts virtual drives upon shutdown, restart or logoff. When BestCrypt software dismounts virtual drives, it always shreds (wipes) encryption keys in memory (the functionality is available in earlier BestCrypt versions too).
2. System crash. Upon hard system failures Windows writes memory contents to crash dump file.
BestCrypt detects system crash. Special module wipes virtual drives' encryption keys before Windows starts writing the dump file. So these keys won't appear in crash dump file.
BestCrypt Volume encryption keys are processed in different way. BestCrypt Volume has Secure Hibernating feature - it encrypts the contents of hibernate and crash dump files. Thus sensitive data will be encrypted on the disk.
Note that the Hibernate and Crash Dump files are encrypted only if the boot/system partition is encrypted.
When Windows finishes writing dump file, BestCrypt Volume wipes its encryption keys. So, it is impossible to extract the key from RAM after system crash.
3. Hibernate mode.
When computer goes into Hibernate mode, encryption keys of BestCrypt virtual drives are stored in the hibernate file. The best solution is to encrypt boot/system partition using BestCrypt Volume.
We strictly discourage leaving virtual drives mounted when computer goes into Hibernate mode if your boot/system partition is not encrypted.
BestCrypt Volume's Secure Hibernate feature effectively protects encryption keys stored in hibernate file.
After Windows completes writing hibernate file BestCrypt Volume wipes all encryption keys in RAM, including encryption keys of BestCrypt virtual drives.
4. Shutdown and Restart.
BestCrypt Volume detects shutdown or restart events and wipes encryption keys after Windows finishes flushing all its cache buffers.
5. Sleep and Screen Saver Locking modes. When the computer works in these modes, BestCrypt does not dismount its virtual drives.
BestCrypt Volume must do not dismount encrypted boot/system partition because Windows actively uses it. If an adversary powers down the computer, he/she will be able to inspect RAM memory as it is described in the "Cold Boot Attacks on Encryption Keys" article.
As a countermeasure to the attack we created "Alarm Crash Hotkey" option in BestCrypt Volume Encryption. The option allows the user to assign a hotkey combination that will force the system to crash in emergency.
Alarm Crash Hotkey notes:
a. Alarm Crash Hotkey works in all computer states - whether the user logged on or not, when the computer is locked by screen saver and even when computer is in sleep mode. (Regular hotkeys installed by Windows applications work only when the user is logged on.)
The user can press the hotkey when Windows boots and the computer will be crashed. For example, the user has already entered password for boot/system partition, but threat of the attack appears when Windows is not loaded yet.
Sure, the user could power down the computer, but only Alarm Crash Hotkey can guarantee encryption keys removal from memory.
b. Alarm Crash Hotkey can be set/changed by Administrator only, but any person who is aware of the hotkey can press it to avoid the attack.
To protect your system against the attack described in the Cold Boot Attacks on Encryption Keys article, we would recommend the following in practice:
1. Encrypt boot/system partition with BestCrypt Volume.
2. Do not leave your computer alone with encrypted data opened for access in Sleep mode or locked by Screen Saver.
3. Set Alarm Crash Hotkey and use it in case of emergency if someone attempts to power down your computer.
In all other cases (shutdown or restarting computer, crashing Windows, hibernating), BestCrypt and BestCrypt Volume securely manage encryption keys stored in RAM.
The warning about performance and security levels is true for both TrueCrypt and BestCrypt. Regarding possible corruption, that is not true of BestCrypt. BestCrypt features so called Smart Free Space Monitoring – a Jetico innovation that indicates the actual amount of disk space available, warns of low disk space, and prevents system crashes and data loss when switching the container to read-only mode.
BestCrypt and Operating System Limitations
BestCrypt version 8 supports the following operating systems:
Windows - including 32-bit and 64-bit versions
- Windows 10
- Windows 8/8.1
- Windows 7
- Windows Vista
- Windows XP
- Windows 2012 Server
- Windows 2008 Server
- Windows 2003 Server
- Mac OS X 10.5+
- 2.6.x or higher
- Qt4 (optional, for GUI)
The maximum size of a container is:
Containers created on Linux and Mac versions of BestCrypt can be opened on Windows. Containers created on Windows versions will be cross-platform compatible if the option 'v8 and cross-platform compatible' was set in the container creation dialog. NOTE: To create a container that can be read and modified under different operating systems, users should format it with a cross functional file system, such as FAT32 or exFAT.
Since version 9, BestCrypt has allowed the creation of Dynamic containers. Dynamic (or size-efficient) containers, unlike Regular containers, consume less physical disk space than their virtual size is capable of. The space initially occupied by such containers is rather small compared to their capacity. The size of that space grows as files are added. Therefore, the size of a dynamic container is limited by the size of the volume it is created on. As an example, that allows users creating a 40Gb container on a volume with only 4Gb free space.
A BestCrypt container, like a regular drive, consists of 512-bytes sectors. The sectors in a container are accessed independently, so if some sectors become damaged, the BestCrypt driver will be able to read and properly decrypt other sectors. Similarly, if a few bytes become damaged on your hard drive, the consequences will be the same - the operating system will mark the 512-byte physical sector on the hard drive as a bad sector.
A problem will happen if the damage occurs in the first part of container file, known as the header (about 4 Kb), where the encryption key is stored. Although the software backs up the information, probability of accidents exist. It is like a case of damaging the first part of your regular hard drive, where partition tables as well as filesystem structures are stored.
To protect yourself against the loss of data you should create backup copies of Key Blocks for all your containers. Use the 'Backup key block' command in the 'Key Block functions' tab of the container's Properties dialog.
The message 'Undefined Key Generator Error ' or "Key generator ID is defined" appears in the following cases:
1. When some module in BestCrypt Key Generator has been corrupted.
2. If an older version of BestCrypt is used to open a container created with SHA-256 key generator (available in version 7.12 or later).
3. If an older version of BestCrypt is used to open a container created with KG-Ghost key generator (available in version 8.0 or later).
(Please note that containers created by an older version are always compatible with future versions, but not vice versa.)
Installing the newest version will help to solve this problem.
Generally, BestCrypt driver mounts a container in read only mode in the following cases:
Using BestCrypt Container Encryption for Mac
BestCrypt Container Encryption for Mac is designed to encrypt files on Mac OS X.
To keep your confidential data private, you can create secure mobile units in a few simple steps:
- Click 'Create new BestCrypt encrypted disk image'
- Select an algorithm
- Enter a name for your new container
- Type a password and get it working
Containers are displayed as virtual drives after you click 'Mount' and enter your secure password. Put the files you need to encrypt into the container and eject it in Finder or BestCrypt Control Panel.
By selecting the container from the containers list in BestCrypt Control Panel you can perform the following tasks:
- Change properties
- Change password
- Create a backup
- Re-encrypt the container