BestCrypt Control Panel


The BestCrypt Control Panel is the central BestCrypt-user interaction application. It allows you to perform container creation and management (e.g., adding containers, changing and removing passwords) as well as some advanced operations.

The following sections describe all functions of Control Panel grouped together by the task they perform, starting with a general overview of the main Control Panel window.

General Overview

When you launch BestCrypt, the first thing you will see is the main Control Panel window, consisting of a toolbar at the top of the window and a number of control sections. Let's take a closer look at this window:

Toolbar Items

The Control Panel toolbar provides a customizable set of items to help you access different BestCrypt functions. Some of these functions apply only to the selected container. The default set of toolbar items includes Create, Locate, Mount, Eject, Forced eject, Force eject all, and Container guard.

Container List

The leftmost area of the Control Panel's main window is called the container list. Each element in this list corresponds to each container file known to be located on your system. There are several ways how containers can end up in this list:

The container list has an associated context menu for each item, which you can view by right-clicking (or control-clicking) it. You can use this context menu to easily locate a container file in Finder, remove it from the list, or delete it completely:


Each currently mounted container has a special BestCrypt virtual disk icon next to it so you can easily distinguish between them. For example, on the screenshot below, a container named secret_data.jbc is currently mounted as indicated by the green icon on the left:


At the top of the list you can also find the list filter bar. Activating the Mounted filter will only display containers that are currently mounted. The Container Name filter allows you to search the list for containers with names matching the text value you type into the filter input area. Both filters can be applied at the same time to search for mounted containers with a specified name.

Selected Container View

Upon clicking on any container in the list, that container's information and preferences will be displayed in the rightmost area of the Control Panel window, in this guide referred to as the selected container view. This area displays general information about currently selected container and allows you to change its preferences and perform various operations on it. The selected container view is divided into three major sections: General information, mount preferences, and the operations bar.


General Information

This selected view section displays basic information about currently selected container:

Mount Preferences

This section of the selected container view allows you to modify mounting behaviour for this container. All following options specify default behaviour that can be changed for each particular mount request in container mount dialog.

Operations Bar

Lastly, the operations bar located toward the top of the window combines groups of operations that can be applied to the selected container into easily accessible menus. Each of these groups of operations is discussed separately in the following sections of this guide, but for now let us briefly describe each group and provide references for more information:

Creating a New Container

1. Click "Create" on the welcome screen or toolbar.

To create a new BestCrypt container, click the Create button on the welcome screen or on the toolbar. The following dialog box will appear to guide you through the process:

3. Click "Create."

After you have set all preferred properties of your new container, click the Create button. Choose a location and a name for your new container file in popup sheet dialog and provide an initial password for it.

At this point, it is strongly advised to read through our short guide on choosing strong passwords for your container.

BestCrypt initializes an encrypted volume inside the new container with random data. This is needed to ensure the best level of protection of your encrypted data but it can take some time to complete which you can track using the progress indicator displayed above. You can, however, cancel this operation at any time by clicking the Cancel button.

After the process completes, your new container is ready and will be added to the container list with its properties displayed in selected container view. If you have specified to mount your new container by activating the Mount new container checkbox, then it will also be mounted at this point.

Managing Container Passwords

Although created with only one initial password, each container can have many more assigned to it. A total number of additional passwords depends on container file format version and password type, but for the default setting it is limited to 64 entries total (including any hidden part passwords).

BestCrypt allows you to add, change and remove passwords for existing containers and hidden parts. You can access these functions from the Passwords menu in the selected container view operations bar:

At this point, it is strongly advised to read through our short guide on choosing strong passwords for your container.

There is a pattern for how password management works for different volume types (main or hidden). All password management operations will first ask you to enter an existing container password. If that password pertains to the main part, then, for example, a newly added password will be added for the main part, and the other way around for each possible hidden part.

For any new password, BestCrypt accepts any printable symbol in any language. Anything you can type on your keyboard is a valid password symbol. However, due to security considerations, the minimum password length is always at least 8 characters. The maximum size is limited to 511 characters.

All container passwords must be unique. This includes passwords for the main part and all possible hidden parts. For example, if you are adding a new password for your hidden part but the same password is already used for the main part, then this new password is considered a duplicate and will be rejected.

Backing Up Key Data

BestCrypt generates and securely stores a set of encryption keys that all data in the container file is encrypted with. Each correct container password is used to decode those keys and set up a virtual encrypted disk. All data needed to check each password and decode encryption keys is stored in a special section of the container file that you can back up and safely store in a separate file without copying the entire container file with all its encrypted data inside.

BestCrypt allows you to create these key data backup files with the .kbb extension by default, restore previous container states from them and use them to mount your container. You can use these functions just as you would use most other Control Panel functions: from the Backup menu in selected container view:

To use key data backups effectively, there is an important point to understand: backup files contain a copy of all information about container encryption keys and passwords. This is of course stored in a secure way, but the point is that by creating a backup file you have created a snapshot of all passwords and encryption keys used for this container. Keep that in mind when you restore key data backup or mount a container using it; in the former case the previous snapshot of all container passwords is restored, and in the latter case you are authenticating against this previous snapshot.

You can use this to your advantage by backing up all container passwords in a separate backup file to safely store it on a remote device and erase or encrypt this very same information in the actual container file. This way, the only means to mount such a container is by providing a key data backup file stored separately.

Advanced Container Operations

BestCrypt provides many advanced functions to keep your data safe. However, many of these functions require some familiarity with concepts they represent. They are easy to learn and will provide you with a better level of understanding to perform these operations correctly and effectively and employ them to your maximum advantage.

As always, you can easily find all advanced functionality in the Advanced menu in the selected container view operations bar:

Most of these operations exist to boost your level of privacy when using BestCrypt containers. The following section describes each one in more detail.


Encrypted Headers

A BestCrypt container file consists of two different types of data:

  1. Encrypted data that is stored inside a container, and
  2. A service file header that contains all user-specified information like container description, size and encryption algorithm specification.

Therefore, a BestCrypt container file has a well-known structure that can be easily identified on your computer. Sometimes it is unacceptable for anyone to know and prove that you have a BestCrypt container file without actually knowing its password or even asking for it. Header encryption exists to avoid exactly this kind of threat.

The header encryption operation encrypts this well-known container header to disguise it as random, nonsensical garbage; the entire container file thus becomes absolutely indistinguishable from noise and does not have any known structure anymore and ceases to have a well-known structure. Nobody, then, can unambiguously prove that this file is a BestCrypt container.

However, it also means that even BestCrypt itself will not be able to identify this file as a container. When you encrypt container header and select it in container list BestCrypt will not be able to display any information about it. Take a look at the example below. Here we have selected a container with an encrypted header:

To further reinforce your privacy, Control Panel also treats these containers differently to remove any traces of their usage. For example, when you add this container using the Browse button, it will be removed from the container list when you close the Control Panel, thus hiding the fact that you even tried to use this file (which, in any case, is filled with seemingly random data) as a BestCrypt container.

To decrypt a container header and make it visible to BestCrypt again, return to the menu and select Decrypt header.

Hidden Parts

All encrypted data stored inside a container looks like random garbage until the correct encryption key is provided to properly interpret it. BestCrypt takes care of all of this for you; all its asks you to do is supply a password. However, there can be more than one correct interpretation of this encrypted noise, provided you know beforehand where to look for it and have the correct encryption key. And that is the best part: When all your data looks like random garbage, nobody can prove that you have more than one interpretation of it in another subset of data hidden among this random noise.

This is precisely what the hidden part is: A secret subset of encrypted data hidden inside existing encrypted (or random) data that can be made sense of only if you know where to look and have the correct password. Nobody else can prove that it really exists and force you to submit any passwords for it.

In cryptography, this concept is called plausible deniability or deniable encryption and is best explained by an example: Imagine a situation when you are pressed hard to reveal your container password. If you store all of your very important data inside a hidden part and fill the main part with seemingly and convincingly important (but really just decoy) data you can, after some hesitation, reveal the password for the main decoy part of your container and convincingly deny the existence of any other encrypted data besides the one that you've just revealed to your interrogators. And BestCrypt, of course, makes sure that it is impossible to prove you have anything else besides the main decoy part.

Being a powerful feature, Hidden Parts requires some caution to use properly.

Because BestCrypt does not know about any hidden parts you might have when mounting the main part of your container, any changes you make to the mounted main part can overwrite and damage the hidden part. You are strongly advised to fill your main part with all decoy data before creating any hidden parts.


When you choose to create a new hidden part you will be greeted by the New Hidden Part dialog, shown below:

Click the Create button to add and format new hidden part once you've set all preferences and protected any and all existing hidden parts. You will be asked to supply an initial password for your new hidden part.

At this point it is strongly advised to read through our short guide on choosing strong passwords for your new hidden part.

After creation completes you can work with your new hidden part as usual. All container operations described in this guide apply to the hidden parts in the same way they apply to the main part, with a couple of exceptions:

See also:

Basic Concepts
Strong Password Guidelines