BestCrypt Control Panel


The BestCrypt Control Panel is the central BestCrypt-user interaction application. It allows you to perform container creation and management (e.g., adding containers, changing and removing passwords) as well as some advanced operations.

The following sections describe all functions of Control Panel grouped together by the task they perform, starting with a general overview of the main Control Panel window.

General Overview

When you launch BestCrypt, the first thing you will see is the main Control Panel window, consisting of a toolbar at the top of the window and a number of control sections. Let's take a closer look at this window:

Toolbar items

The Control Panel toolbar provides a set of items to help you access different BestCrypt functions. Some of these functions apply only to the selected container. The following controls are included: Create, Locate, Mount, Eject, Forced eject, and Eject all.

Container List

The leftmost area of the Control Panel's main window is called the container list. Each element in this list corresponds to each container file known to be located on your system. There are several ways how containers can end up in this list:

Selected Container View

Selecting a container from the Container list by simply clicking on it enables a "Selected Container View" - an area on the right displaying general information about selected container, such as:

Menu Bar

Menu bar combines groups of operations that can be applied to the selected container into easily accessible menus. Each of these groups is discussed separately in the following sections of this guide, but for now let us briefly describe each group and provide references for more information:

Creating a New Container

To create a new BestCrypt container, click the Create button on the welcome screen or on the toolbar. The following dialog box will appear to guide you through the process:

Container Creation Dialog incorporates the following fields and controls:


At this point, it is strongly advised to read through our short guide on choosing strong passwords for your container.

Click Create if you would like to use the default algorithm, hash or file system of the encrypted virtual disk. Otherwise, click Advanced and complete the next dialog:

The following fields and controls are available under Advanced settings

Click Create to create a container with the selected settings or click Next to head to password options:


NOTE: Changing the default iteration count (16384) prohibits further header encryption for the container. Likewise, if Encrypt header option is checked, the Iterations box is automatically set to default value and disabled.

Click Back to return to the previous page of the wizard. Click Create to proceed with container creation.

BestCrypt initializes an encrypted volume inside the new container with random data. This is needed to ensure the best level of protection of the encrypted data. This operation might take a while; the progress of the operation is displayed by the progress indicator. This operation can be cancelled at any time by clicking the Cancel button.

After the process is complete your new container will be ready for use. It will be added to Container list with its' properties displayed in Selected container view. If you have set the Mount new container checkbox, the container will also be mounted at this point.

Managing Container Passwords

In addition to the initial password container was created with, many more can be assigned to each container. A total number of additional passwords depends on container file format version and password type, but for the default setting it is limited to 64 entries total (including any hidden part passwords).

BestCrypt allows you to add, change and remove passwords for existing containers and hidden parts. You can access these functions from the Passwords menu:

Passwords Menu

At this point, it is strongly advised to read through our short guide on choosing strong passwords for your container.

There is a pattern for how password management works for different volume types (main or hidden). All password management operations will first ask you to enter an existing container password. If that password pertains to the main part, then, for example, a newly added password will be added for the main part, and the other way around for each possible hidden part.

For any new password, BestCrypt accepts any printable symbol in any language. Anything you can type on your keyboard is a valid password symbol. However, due to security considerations, the minimum password length is always at least 8 characters. The maximum size is limited to 255 characters.

All container passwords must be unique. This includes passwords for the main part and all possible hidden parts. For example, if you are adding a new password for your hidden part but the same password is already used for the main part, then this new password is considered a duplicate and will be rejected.

Advanced Container Operations

BestCrypt provides many advanced functions to keep your data safe. However, many of these functions require some familiarity with concepts they represent. They are easy to learn and will provide you with a better level of understanding to perform these operations correctly and effectively and employ them to your maximum advantage.

As always you can easily find all advanced functionality in the Container menu bar:

Most of these operations exist to boost the level of privacy when using BestCrypt containers. The following section describes each one in more detail.

Encrypted Headers

A BestCrypt container file consists of two different types of data:

  1. Encrypted data that is stored inside a container, and
  2. A service file header that contains all user-specified information like container description, size and encryption algorithm specification.

Therefore, BestCrypt container file has a well-known structure that can be easily identified on your computer. Sometimes it is unacceptable for anyone to know and prove that you have a BestCrypt container file without actually knowing its password or even asking for it. Header encryption exists to avoid exactly this kind of threat.

The header encryption operation encrypts this well-known container header to disguise it as random, nonsensical garbage; the entire container file thus becomes absolutely indistinguishable from noise and does not have any known structure anymore and ceases to have a well-known structure. Nobody, then, can unambiguously prove that this file is a BestCrypt container.

However, it also means that even BestCrypt itself will not be able to identify this file as a container. When you encrypt container header and select it in container list BestCrypt will not be able to display any information about it. Take a look at the example below. Here we have selected a container with an encrypted header:

To further reinforce your privacy, Control Panel also treats these containers differently to remove any traces of their usage. For example, when you add this container using the Locate button, it will be removed from the container list when you close the Control Panel, thus hiding the fact that you even tried to use this file (which, in any case, is filled with seemingly random data) as a BestCrypt container.

To decrypt a container header and make it visible to BestCrypt again, return to the menu and select Decrypt header.

Header Backup

BestCrypt generates and securely stores a set of encryption keys that all data in the container file is encrypted with. Each correct container password is used to decode those keys and set up a virtual encrypted disk. All data needed to check each password and decode encryption keys is stored in a special section of the container file that you can back up and safely store in a separate file without copying the entire container file with all its encrypted data inside.

BestCrypt allows you to create these key data backup files with the .kbb extension by default, restore previous container states from them and use them to mount your container. You can use these functions just as you would use most other Control Panel functions: from the Container menu

To use key data backups effectively, there is an important point to understand: backup files contain a copy of all information about container encryption keys and passwords. This is of course stored in a secure way, but the point is that by creating a backup file you have created a snapshot of all passwords and encryption keys used for this container. Keep that in mind when you restore key data backup or mount a container using it; in the former case the previous snapshot of all container passwords is restored, and in the latter case you are authenticating against this previous snapshot.

You can use this to your advantage by backing up all container passwords in a separate backup file to safely store it on a remote device and erase or encrypt this very same information in the actual container file. This way, the only means to mount such a container is by providing a key data backup file stored separately.

Hidden Parts

All encrypted data stored inside a container looks like random garbage until the correct encryption key is provided to properly interpret it. BestCrypt takes care of all of this for you; all its asks you to do is supply a password. However, there can be more than one correct interpretation of this encrypted noise, provided you know beforehand where to look for it and have the correct encryption key. And that is the best part: When all your data looks like random garbage, nobody can prove that you have more than one interpretation of it in another subset of data hidden among this random noise.

This is precisely what the hidden part is: A secret subset of encrypted data hidden inside existing encrypted (or random) data that can be made sense of only if you know where to look and have the correct password. Nobody else can prove that it really exists and force you to submit any passwords for it.

In cryptography, this concept is called plausible deniability or deniable encryption and is best explained by an example: Imagine a situation when you are pressed hard to reveal your container password. If you store all of your very important data inside a hidden part and fill the main part with seemingly and convincingly important (but really just decoy) data you can, after some hesitation, reveal the password for the main decoy part of your container and convincingly deny the existence of any other encrypted data besides the one that you've just revealed to your interrogators. And BestCrypt, of course, makes sure that it is impossible to prove you have anything else besides the main decoy part.

Being a powerful feature, Hidden Parts requires some caution to use properly.

Because BestCrypt does not know about any hidden parts you might have when mounting the main part of your container, any changes you make to the mounted main part can overwrite and damage the hidden part. You are strongly advised to fill your main part with all decoy data before creating any hidden parts.


When you choose to create a new hidden part you will be greeted by the New Hidden Part dialog, shown below:

Click the Create button to add and format new hidden part once you've set all preferences and protected any and all existing hidden parts. You will be asked to supply an initial password for your new hidden part.

At this point it is strongly advised to read through our short guide on choosing strong passwords for your new hidden part.

After creation completes you can work with your new hidden part as usual. All container operations described in this guide apply to the hidden parts in the same way they apply to the main part, with a couple of exceptions:

See also:

Basic concepts
Strong password guidelines