Moving Encryption Keys to Remote Storage

By default BestCrypt Volume Encryption stores encryption key for volume on the same volume in encrypted form. The key is encrypted by another key derived from the password for the volume. To mount volume the user enters the password, the software then decrypts the key and mounts the volume.

To enhance security level of encrypted volume the user can move the key in encrypted form from the volume to some external storage. It may be a removable disk (like USB stick) or remote network server where from the computer boots. The last option is available for system/boot disk volumes only and requires configuration of enterprise server so that the client computer could boot from it.

If you move encryption key from the volume to a removable disk, any person who wants to mount the volume will have to: a) know password for the key and b) have the removable disk. Without any of these two factors it will be impossible to get access to the data inside the volume (it is so called Two-Factor Authentication).

To move encryption key from encrypted volume, select it in BestCrypt Volume Encryption main window. The volume should be in mounted state. Run command Encryption Key -> Move key to external storage command from Volume menu. If the disk volume is not boot/system, the program will allow moving its encryption key only to some removable disk. The following window will appear.

Move key to removable disk

The window contains all instructions and precautions the user should be aware of when he/she is going to move encryption key from encrypted volume to external storage. Please do not continue the process if something is unclear and address your questions to Jetico technical support (

If you are sure that instructions and precautions are clear, select removable disk from the list in the dialog window and click Finish.

If encrypted volume is system or boot and you run the Move key to external storage command for it, another dialog window will appear.

Move key options

As instructions on the window state, you can select option Removable disk and move the key to the removable disk in the same way as it was described above for not boot/system volumes. In this case please make sure that your computer is configured to boot from the removable disk.

You may also select Boot image file option if your client computer is configured to boot from remote server. In this case boot code the remote server sends to your computer at boot time should be replaced by boot code provided by BestCrypt Volume Encryption program. So if you select the Boot image file option and click Next, file with the boot code will be created.

To make the process of moving key as safe as possible, in the next dialog window the program allows the user to create the boot file without erasing the key from the volume, just for testing purposes.

Move key to boot file

Whatever option you choose, the program will create boot file for the computer with encryption key. If you have chosen option to make a copy of the key for testing purposes and your computer could boot from network correctly, please run the command again and choose option Move encryption key to boot image file. After that the key will be copied to the file and erased from encrypted volume. Then the only way to boot the computer will be getting the boot code from the server.

BestCrypt Volume Encryption allows the user to move encryption key back from the external storage to encrypted disk volume. To do that run command Encryption Key -> Restore key from external storage from Volume menu. The program will access boot image file or look for the key on removable disk and restore the key on encrypted volume.

Note: moving encryption keys to remote storage is possible only for volumes encrypted with version 3 of the software. If the functionality is required for volume encrypted with older version of the software, you should decrypt the volume and encrypt it again with version 3 of BestCrypt Volume Encryption.

See also: