BestCrypt Volume Encryption FAQ
Using BestCrypt Volume Encryption (BCVE)
Please run BCVE in administrating mode. Right-click BCVE icon and run 'run as administrator' command.
BestCrypt Volume Encryption is engineered safety first and doesn’t contain Backdoors to decrypt or open Volumes. In case of lost password, we can't help you.
For Enterprise Edition: BestCrypt Volume Encryption - Enterprise Edition stores Rescue data in the database by encrypting them with the administrator's password. If the end-user's password has been lost, the Volume can be decrypted by the administrator.
Yes, you can. To enable your encrypted system not to ask for a password at boot-time, you first need to move the encryption key from your system volume to external media (e.g. USB stick), then change the password for the volume to an empty one. After that, your computer will boot with the external media connected, but will not boot if the media is not connected. For detailed instructions on how to move an encryption key to external storage, please see www.jetico.com/web_help/bcve3/html/04_usage/01_volume_encryption/05_moving_keys.htm
Yes, you can. If you want to achieve Full Disk Encryption, you should encrypt all partitions on your hard drive. BestCrypt Volume Encryption is more flexible than other FDE software as it allows encrypting selected volumes. The Recovery partition contains a system image that would allow you to reset to manufacturer settings in case such a need arises. This partition does not contain any user data unless you have configured the system or some third-party software to use it (for example, to create shadow copies or backups). If you have not, it is not necessary to encrypt the partition. According to technet.microsoft.com, the System Reserved partition serves two functions. First, it holds the Boot Manager code and the Boot Configuration Database. Second, it reserves space for the startup files required by the BitlLocker Drive Encryption feature. It does not contain any sensitive data, only a number of standard boot files including the BestCrypt Volume Encryption bootloader. So it is up to you whether to encrypt it or not. The system operates smoothly in both cases. The Windows RE (Recovery Environment) is a partition your PC boots from in case its normal boot process fails. It contains a number of recovery tools allowing you to recover (both manufacturer settings or a restore point) or troubleshoot the OS. According to Microsoft, it does not contain any user data either. It is your choice to encrypt or not.
BestCrypt Volume Encryption features two options to mount encrypted volumes automatically. Encrypted volumes can be set to either Mount at Boot Time or Mount at Logon. When Mount at Boot Time is enabled, the selected encrypted volume is mounted when you enter the boot-time password for your computer. The system volume should be encrypted in order to enable this feature. When Mount at Logon is enabled, a window prompting for password for the selected encrypted volume pops up automatically when you log into your Windows user account. To set Volume Encryption to automatically prompt you for a password when an encrypted external disk (USB stick) is inserted, open Options --> Actions for inserted encrypted disks --> select Ask Password and Mount.
Yes, BestCrypt Volume Encryption allows for selecting one of the pre-configured boot-time password themes or creating a new one. To change or edit the current theme, open Options --> Boot time prompt for password, and follow the instructions in the dialog window. For more information, please see: www.jetico.com/web_help/bcve3/html/04_usage/05_options/01_customize_boot_text.htmo
Yes. You should take 'Traveller Files' packet from your computer where BCVE is installed. To do so, run the command 'Traveller Mode files' from 'Options'- menu. Bring the files to the destination computer, run BCVE Traveller and open your volumes.
For system/boot volume - it is strongly recommended to create bootable Rescue disk - USB stick or ISO image (and burn CD/DVD disk). In case of the boot failure, you boot your computer from the bootable rescue disk and run rescue decryption. Please note that rescue decryption is time-consuming process.
It is also recommended to create Windows Live CD with the BCVE plugin. In case of the failure, you boot the computer from this Live CD and access your encrypted volume as regular disk. You can mount it and access data or decrypt the volume.
For regular volumes - if it cannot be mounted and cannot be decrypted in usual way - run rescue decryption from Rescue menu of BCVE window. The rescue decryption uses Rescue File that is created and maintained by BCVE automatically. The default location of Rescue File is Rescue subfolder of BCVE home directory.
Full overview of BCVE Rescue procedures is here: Rescue procedures
It is possible, if the motherboard contains Trusted Platform Module (TPM). It is a special hardware module designed to store encryption key securely. BCVE allows the users (administrator rights are required) to limit the time period when the computer reboots automatically, and/or limit the number of automatic unattended reboots. Read the online help article for more details
Encrypted drives, just like regular drives can get corrupted so it is always good to have a backup of it.
There are two types of backups:
- Encrypted Backup Sector-level backup that is performed when the volume is dismouned.
- Unencrypted Backup File-level backup that is performed if the encrypted volume is mounted.
Some backup programs report that they cannot backup 'bcldr.bin' file that is the file with encryption key and it is locked by BCVE. You should configure the backup program to skip this file.
BCVE can save the encryption keys to a boot image file (.bin) and you can put it on TFTP server in your corporate network. The encrypted machine will boot from the network location. As soon as the computer is out - connection to the TFTP server has been lost and the computer won't boot.
It is possible with Enterprise Edition of BCVE. It is distributed with Jetico Central Manager (JCM) software. JCM is used to remotely deploy BestCrypt Volume Encryption clients across all workstations, monitor usage of encrypted disk volumes, distribute encryption policies and centrally manage recovery information necessary to access encrypted data in case of emergency. JCM administrator can set the option to get all the volumes on client computers encrypted or decrypted. End-user will have to enter the password.
Software and Hardware Compatibility
BestCrypt Volume Encryption is fully compatible with Windows 10.
Yet if you use BestCrypt Volume Encryption to encrypt your system volume, and you want to upgrade to Windows 10, you will need to:
- Temporarily remove boot-time protection by decrypting your system volume - this allows the setup to freely access the drive.
- After the upgrade process is complete, encrypt your system volume.
Our test have shown that Windows 10 upgrarde process operates in a very simplified environment with only a small number of necessary components loaded. Unfortunately, this does not include BestCrypt Volume Encryption modules. Being unable to bypass our protection, Windows 10 fails to operate on an encrypted drive and reverts to all changes previously done.
This process is absolutely safe. Click here to review step-by-step instructions.
BCVE has to disable Windows 8 'Fast Startup' option while installation due to a number of reasons:
- Installation issues: with 'Fast Startup' on, encryption driver won't be loaded if you make shutdown/start instead of restart.
- For proper protection of encrypted non-system volumes: with 'Fast Startup' on, the volume will remain mounted after start if you have some non-system volume encrypted and mounted, and make shutdown/start instead of restart.
- General system issues: with 'Fast Startup' on, it is not possible to perform troubleshooting or boot from a different device, Rescue disk, etc.
NOTE: After BCVE installation has been completed and your system volume is encrypted, you can enable 'Fast Startup' option, if you still wish.
Yes, BCVE supports GPT volumes. System/boot GPT volumes (with UEFI boot loader) are supported by BCVE since version 3.50.01.
Yes, you can. Encryption is totally transparent for other applications.
If the program uses a service that starts at early startup time - it is recommended to set the option 'Mount at boot time' for the encrypted volume where the program is installed.
To migrate to BestCrypt, you will need to decrypt volumes encrypted with TrueCrypt and re-encrypt them with Volume Encryption. Please follow the steps below: 1. Download the latest version of BestCrypt package from Jetico official website: https://www.jetico.com/bcryptSetup.exe. 2. Install the program on your PC with all add-ons by running bcryptSetup.exe. 3. Decrypt volumes encrypted with TrueCrypt: make sure you have TrueCrypt v.7.2 installed, select the drive in TrueCrypt, open the Volumes menu and select Permanently Decrypt item. For system volume click System and select Permanently Decrypt System Drive. 4. Run BestCrypt Volume Encryption as Administrator. 5. Right-click on a volume to be encrypted and select 'Encrypt Volume'. 6. Define Encryption options, enter and confirm your password. The encryption process will start automatically.You can pause encryption process any time and resume it later. 7. Repeat for all volumes you want to be encrypted. NOTE: For those who only use Volume Encryption, there is a stand-alone version of BestCrypt Volume Encryption https://www.jetico.com/bcve_setup.exe.
Yes, you can. Please note that if you create the disk image when the volume is dismounted, you will get the encrypted image. If the volume was mounted, the image will be unencrypted. So for system volume - you always get unencrypted images.
If you restore from such an image, you will have to restore MBR sector manually.
It is recommended to install disk imaging software BEFORE encrypting the system volume.
You do not have to decrypt. After adding the mirror, BCVE will detect that the volume is partially encrypted and will advise to run 'Encrypt' command to encrypt the mirror completely.
SSD disk has its own mechanism of re-distribution disk sectors - wear-leveling.
Provided that you follow the special recommendations for SSD disks, it is possible to encrypt SSD disk securely. Please take into account that if some sensitive data already resides on the disk before encryption, BCVE cannot give a 100% guarantee that all data will be encrypted: unencrypted data may exist on the SSD’s reserved area even after full encryption.
It is recommended to encrypt 100% of the disk first (for non-system volumes you can use 'quick initial encryption' option), and then input sensitive data on the SSD drive.
Jetico is only responsible for the English language version. Yet many of our users have kindly contributed translations of the software. Jetico appreciates our open global community of dedicated users and enables the distribution of these user-contributed translations.
Yes, BestCrypt Volume Encryption can be used to encrypt Windows-based tablets. The list of supported Windows operating systems and system requirements can be found at: www.jetico.com/Release_Notes/Jetico_Product_Release_Notes_BestCrypt_Volume_Encryption_v3.htm
NOTE: If you decide to encrypt the system volume of your tablet, a keyboard will be required to enter your password at boot time. Unfortunately, touchscreen keyboard drivers are not yet loaded in the pre-boot environment (where BestCrypt Volume Encryption prompts for authentication). However, with a keyboard attached, the authentication process runs smoothly. For additional information on Surface Pro tablets, please see the next question. Alternatively, you can move the encryption key to a USB stick and set BestCrypt Volume Encryption to use an empty password. In that case, your tablet will boot if the USB is plugged in. For more information, please see www.jetico.com/web_help/bcve3/html/04_usage/01_volume_encryption/05_moving_keys.htm
or the corresponding FAQ.
Yes, BestCrypt Volume Encryption can be used to encrypt Surface Pro tablets. NOTE: Surface-series tablets are shipped with Microsoft BitLocker device encryption pre-enabled. To avoid a software conflict, BitlLocker should be turned off and the device should be decrypted before installing BestCrypt Volume Encryption.
License & Support
Yes, we have the official Jetico forum
The volumes will still be encrypted and BestCrypt Volume Encryption (BCVE) has full functionality. The only limitation: software updates won't be allowed.