BestCrypt Volume Encryption FAQ

Using BestCrypt Volume Encryption (BCVE)

01. I cannot encrypt volumes because 'Encrypt' command in 'Volume'- menu is grayed out.

Please run BCVE in administrating mode. Right-click BCVE icon and run 'run as administrator' command.

02. How to decrypt or open a volume if I forgot the password?

BestCrypt Volume Encryption is engineered safety first and doesn’t contain Backdoors to decrypt or open Volumes. In case of lost password, we can't help you.

 

For Enterprise Edition: BestCrypt Volume Encryption - Enterprise Edition stores Rescue data in the database by encrypting them with the administrator's password. If the end-user's password has been lost, the Volume can be decrypted by the administrator.

03. Can I set my encrypted system to boot without a password?

Yes, you can.
To enable your encrypted system not to ask for a password at boot-time, you first need to move the encryption key from your system volume to external media (e.g. USB stick), then change the password for the volume to an empty one.
After that, your computer will boot with the external media connected, but will not boot if the media is not connected.

For detailed instructions on how to move an encryption key to external storage, please see www.jetico.com/web_help/bcve3/html/04_usage/01_volume_encryption/05_moving_keys.htm

04. Should I encrypt Recovery / System Reserved / Windows RE partitions?

Yes, you can.
If you want to achieve Full Disk Encryption, you should encrypt all partitions on your hard drive. BestCrypt Volume Encryption is more flexible than other FDE software as it allows encrypting selected volumes.

The Recovery partition contains a system image that would allow you to reset to manufacturer settings in case such a need arises. This partition does not contain any user data unless you have configured the system or some third-party software to use it (for example, to create shadow copies or backups). If you have not, it is not necessary to encrypt the partition.

According to technet.microsoft.com, the System Reserved partition serves two functions. First, it holds the Boot Manager code and the Boot Configuration Database. Second, it reserves space for the startup files required by the BitlLocker Drive Encryption feature. It does not contain any sensitive data, only a number of standard boot files including the BestCrypt Volume Encryption bootloader. So it is up to you whether to encrypt it or not. The system operates smoothly in both cases.

The Windows RE (Recovery Environment) is a partition your PC boots from in case its normal boot process fails. It contains a number of recovery tools allowing you to recover (both manufacturer settings or a restore point) or troubleshoot the OS. According to Microsoft, it does not contain any user data either. It is your choice to encrypt or not.

05. Can encrypted non-system volumes be mounted automatically so that I don’t have to open BestCrypt Volume Encryption and manually mount them every time?

BestCrypt Volume Encryption features two options to mount encrypted volumes automatically. Encrypted volumes can be set to either Mount at Boot Time or Mount at Logon.

When Mount at Boot Time is enabled, the selected encrypted volume is mounted when you enter the boot-time password for your computer. The system volume should be encrypted in order to enable this feature.

When Mount at Logon is enabled, a window prompting for password for the selected encrypted volume pops up automatically when you log into your Windows user account.

To set Volume Encryption to automatically prompt you for a password when an encrypted external disk (USB stick) is inserted, open Options --> Actions for inserted encrypted disks --> select Ask Password and Mount.

06. Can I change the text shown at boot time when the password for my encrypted system volume is asked?

Yes, BestCrypt Volume Encryption allows for selecting one of the pre-configured boot-time password themes or creating a new one. To change or edit the current theme, open Options --> Boot time prompt for password, and follow the instructions in the dialog window.

For more information, please see: www.jetico.com/web_help/bcve3/html/04_usage/05_options/01_customize_boot_text.htmo

07. Can I mount my encrypted USB stick on a computer where BCVE is not installed?

Yes. You should take 'Traveller Files' packet from your computer where BCVE is installed. To do so, run the command 'Traveller Mode files' from 'Options'- menu. Bring the files to the destination computer, run BCVE Traveller and open your volumes.

08. I have encrypted all volumes on my system and I am going to reboot. What will happen if my system does not boot? What steps should I make now to be protected from a failure? How to recover non-system volume?

For system/boot volume - it is strongly recommended to create bootable Rescue disk - USB stick or ISO image (and burn CD/DVD disk). In case of the boot failure, you boot your computer from the bootable rescue disk and run rescue decryption. Please note that rescue decryption is time-consuming process.


It is also recommended to create Windows Live CD with the BCVE plugin. In case of the failure, you boot the computer from this Live CD and access your encrypted volume as regular disk. You can mount it and access data or decrypt the volume.


For regular volumes - if it cannot be mounted and cannot be decrypted in usual way - run rescue decryption from Rescue menu of BCVE window. The rescue decryption uses Rescue File that is created and maintained by BCVE automatically. The default location of Rescue File is Rescue subfolder of BCVE home directory.

 

Full overview of BCVE Rescue procedures is here: Rescue procedures

 

09. Our server has been encrypted. Windows Updates are scheduled to run at night time. When it happens, the server is automatically rebooted and stays at BCVE password prompt. Is it possible to reboot without BCVE password at least once?

It is possible, if the motherboard contains Trusted Platform Module (TPM). It is a special hardware module designed to store encryption key securely. BCVE allows the users (administrator rights are required) to limit the time period when the computer reboots automatically, and/or limit the number of automatic unattended reboots. Read the online help article for more details

10. Do I need to backup encrypted data?

Encrypted drives, just like regular drives can get corrupted so it is always good to have a backup of it.

 

There are two types of backups:

  • Encrypted Backup
    Sector-level backup that is performed when the volume is dismouned.
  • Unencrypted Backup
    File-level backup that is performed if the encrypted volume is mounted.

 

Some backup programs report that they cannot backup 'bcldr.bin' file that is the file with encryption key and it is locked by BCVE. You should configure the backup program to skip this file.

11. We would like to encrypt all of our company's computers so that it would not be possible to boot the computer if it is out from our office, even if the password is known. Is it possible?

BCVE can save the encryption keys to a boot image file (.bin) and you can put it on TFTP server in your corporate network. The encrypted machine will boot from the network location. As soon as the computer is out - connection to the TFTP server has been lost and the computer won't boot.


The PXE technology
Please read the online help article for more details.

12. We would like to encrypt all our company's computers from single Central Manager Console. Is it possible? Is end-user intervention required?

It is possible with Enterprise Edition of BCVE. It is distributed with Jetico Central Manager (JCM) software. JCM is used to remotely deploy BestCrypt Volume Encryption clients across all workstations, monitor usage of encrypted disk volumes, distribute encryption policies and centrally manage recovery information necessary to access encrypted data in case of emergency. JCM administrator can set the option to get all the volumes on client computers encrypted or decrypted. End-user will have to enter the password.

 

Software and Hardware Compatibility

13. How can I migrate to Windows 10 with BestCrypt Volume Encryption?

BestCrypt Volume Encryption is fully compatible with Windows 10.

 

Yet if you use BestCrypt Volume Encryption to encrypt your system volume, and you want to upgrade to Windows 10, you will need to:

  • Temporarily remove boot-time protection by decrypting your system volume - this allows the setup to freely access the drive.
  • After the upgrade process is complete, encrypt your system volume.

 

Our test have shown that Windows 10 upgrarde process operates in a very simplified environment with only a small number of necessary components loaded. Unfortunately, this does not include BestCrypt Volume Encryption modules. Being unable to bypass our protection, Windows 10 fails to operate on an encrypted drive and reverts to all changes previously done.

 

This process is absolutely safe. Click here to review step-by-step instructions.

14. Why does Windows 8 with BCVE installed take longer to boot up than it used to?

BCVE has to disable Windows 8 'Fast Startup' option while installation due to a number of reasons:


  • Installation issues: with 'Fast Startup' on, encryption driver won't be loaded if you make shutdown/start instead of restart.
  • For proper protection of encrypted non-system volumes: with 'Fast Startup' on, the volume will remain mounted after start if you have some non-system volume encrypted and mounted, and make shutdown/start instead of restart.
  • General system issues: with 'Fast Startup' on, it is not possible to perform troubleshooting or boot from a different device, Rescue disk, etc.

NOTE: After BCVE installation has been completed and your system volume is encrypted, you can enable 'Fast Startup' option, if you still wish.

15. I'm helping a friend encrypt his laptop. I've tried other volume encryption solutions but many run into problems with the internal HDD formatted using GPT (GUID Partition Table) scheme. Can BCVE handle GPT formatted system HDD?

Yes, BCVE supports GPT volumes. System/boot GPT volumes (with UEFI boot loader) are supported by BCVE since version 3.50.01.

16. Can I install programs on a partition encrypted with BCVE?

Yes, you can. Encryption is totally transparent for other applications.
If the program uses a service that starts at early startup time - it is recommended to set the option 'Mount at boot time' for the encrypted volume where the program is installed.

17. I used TrueCrypt to encrypt my volumes. However, Truecrypt was announced to be insecure. I am considering BestCrypt Volume Encryption as Truecrypt alternative. How can I migrate?

To migrate to BestCrypt, you will need to decrypt volumes encrypted with TrueCrypt and re-encrypt them with Volume Encryption. Please follow the steps below:
1. Download the latest version of BestCrypt package from Jetico official website: https://www.jetico.com/bcryptSetup.exe.
2. Install the program on your PC with all add-ons by running bcryptSetup.exe.
3. Decrypt volumes encrypted with TrueCrypt:
make sure you have TrueCrypt v.7.2 installed, select the drive in TrueCrypt, open the Volumes menu and select Permanently Decrypt item. For system volume click System and select Permanently Decrypt System Drive.
4. Run BestCrypt Volume Encryption as Administrator.
5. Right-click on a volume to be encrypted and select 'Encrypt Volume'.
6. Define Encryption options, enter and confirm your password. The encryption process will start automatically.You can pause encryption process any time and resume it later.
7. Repeat for all volumes you want to be encrypted.

NOTE: For those who only use Volume Encryption, there is a stand-alone version of BestCrypt Volume Encryption https://www.jetico.com/bcve_setup.exe.

18. Can I use regular disk imaging utilities with encrypted volumes?

Yes, you can. Please note that if you create the disk image when the volume is dismounted, you will get the encrypted image. If the volume was mounted, the image will be unencrypted. So for system volume - you always get unencrypted images.
If you restore from such an image, you will have to restore MBR sector manually.
It is recommended to install disk imaging software BEFORE encrypting the system volume.

19. I encrypted my backup volume some time ago. Now I have acquired a new HDD and would like to add it as a mirror. Should I decrypt it, configure the mirror and then encrypt it again?

You do not have to decrypt. After adding the mirror, BCVE will detect that the volume is partially encrypted and will advise to run 'Encrypt' command to encrypt the mirror completely.

20. Can I securely encrypt a volume located on SSD disk?

SSD disk has its own mechanism of re-distribution disk sectors - wear-leveling.

 

Provided that you follow the special recommendations for SSD disks, it is possible to encrypt SSD disk securely. Please take into account that if some sensitive data already resides on the disk before encryption, BCVE cannot give a 100% guarantee that all data will be encrypted: unencrypted data may exist on the SSD’s reserved area even after full encryption.
It is recommended to encrypt 100% of the disk first (for non-system volumes you can use 'quick initial encryption' option), and then input sensitive data on the SSD drive.

 

21. I would like to use the software in my native language. Where can I download a translated version of BCVE?

Jetico is only responsible for the English language version. Yet many of our users have kindly contributed translations of the software. Jetico appreciates our open global community of dedicated users and enables the distribution of these user-contributed translations.
Please check Options-->Software languages menu. If your language exists, please select it and the program will switch to the language. If it does not exist, and you would like to translate BCVE to your native language, contact Jetico Technical Support at This email address is being protected from spambots. You need JavaScript enabled to view it. .

22. Can I encrypt my tablet with BestCrypt Volume Encryption? Are there any known issues with encrypted tablets?

Yes, BestCrypt Volume Encryption can be used to encrypt Windows-based tablets. The list of supported Windows operating systems and system requirements can be found at: www.jetico.com/Release_Notes/Jetico_Product_Release_Notes_BestCrypt_Volume_Encryption_v3.htm


NOTE: If you decide to encrypt the system volume of your tablet, a keyboard will be required to enter your password at boot time.

Unfortunately, touchscreen keyboard drivers are not yet loaded in the pre-boot environment (where BestCrypt Volume Encryption prompts for authentication). However, with a keyboard attached, the authentication process runs smoothly.

For additional information on Surface Pro tablets, please see the next question.

Alternatively, you can move the encryption key to a USB stick and set BestCrypt Volume Encryption to use an empty password. In that case, your tablet will boot if the USB is plugged in. For more information, please see www.jetico.com/web_help/bcve3/html/04_usage/01_volume_encryption/05_moving_keys.htm
or the corresponding FAQ.

23. Can I encrypt my Surface Pro tablet with BestCrypt Volume Encryption?

Yes, BestCrypt Volume Encryption can be used to encrypt Surface Pro tablets.

NOTE: Surface-series tablets are shipped with Microsoft BitLocker device encryption pre-enabled. To avoid a software conflict, BitlLocker should be turned off and the device should be decrypted before installing BestCrypt Volume Encryption.

 

License & Support

24. Do you have a forum where BCVE issues are discussed?

Yes, we have the official Jetico forum

25. I purchased one year license of BCVE. What happens after license period ends? Are my encrypted volumes going to be decrypted? Is there any other limitation on functionality?

The volumes will still be encrypted and BestCrypt Volume Encryption (BCVE) has full functionality. The only limitation: software updates won't be allowed.