Security characteristics


Encryption Algorithms

BestCrypt Volume Encryption allows the user to encrypt data with a number of encryption algorithms known as strong algorithms. Every algorithm is implemented with the largest possible key size defined in the algorithm's specification:

AES (Rijndael)256-bit key
RC6256-bit key
Serpent256-bit key
Twofish256-bit key


Encryption Mode

BestCrypt Volume Encryption utilizes XTS encryption mode with all encryption algorithms listed above. XTS mode is specially designed for applications working on disk sector level and more secure than other popular modes used earlier (like Cipher Block Chaining (CBC) mode).


Two-Factor User Authentication

BestCrypt Volume Encryption supports hardware SafeNet (former Aladdin) eToken Pro and eToken Java devices. Aladdin eToken is a small removable device connected to USB port and designed to store data in a secure form. BestCrypt Volume Encryption can store encryption keys on eToken devices.

As a result, to get access to an encrypted volume the user should insert eToken to USB port and enter an appropriate password. Your encrypted data cannot be accessed without any of these Two Factors - without the password or without eToken device.

Two-Factor Authentication is also available with regular removable disks (like USB sticks). In this case the person who wants to access encrypted volume must: 1) know password for the key; 2) have the removable disk where the key is stored.

Then, encryption key for boot/system volume is possible to store not on a local computer, but on network server. It opens an additional security levels for enterprise use of the software. Since encryption keys are stored on enterprise server, access to encrypted computer will be possible only if it is connected to enterprise network.


Pre-boot Authentication

BestCrypt Volume Encryption allows the user to encrypt System and Boot volumes. When the user encrypts System/Boot volume, he/she must enter an appropriate password before computer starts loading Windows operating system. Without the password BestCrypt Volume Encryption will not be able to transparently decrypt the disk sectors where Windows stores system files. Hence, without the password (and hardware eToken, if used) it is impossible to boot computer where System / Boot volume(s) are encrypted.


Note that Microsoft terminology of System and Boot volumes is not so obvious: System Volume is a volume where computer starts to load operating system(s) from; Boot Volume is a volume where operating system (Windows) stores its system files.



See also: