Running BestCrypt Volume Encryption as BestCrypt Base client

BestCrypt Volume Encryption can be installed as a Client component of BestCrypt Base Software. BestCrypt Base provides centralized control of encrypted client computers in a local network. The client computers are encrypted with BestCrypt Volume Encryption, which in this configuration acts as a client software receiving commands from BestCrypt Base Server.

BestCrypt Base components are shown on the following picture, where Clients have BestCrypt Volume Encryption running on their systems.

A computer that needs to be encrypted is connected to the local network and it receives configuration from BestCrypt Server. Encryption process is managed on BestCrypt Base Console installed on a separate computer. BestCrypt Base Console creates a Client Installation Package containing BCBASE_CLIENT_INSTALL.EXE setup file uniquely generated for a particular Server.

After installation, the software requires minimal attention from a user. Depending on which mode (Encrypt/Managed Locally/Decrypt) and Security Level (3/2/1/0) are chosen by Administrator, the user on the Client computer may be prompted to enter password.

A local user is unable to modify the encryption process if the Client computer is in Encrypt or Decrypt mode. In case, the encryption is run in Manage By Local User mode, the user is allowed to run BCVE in Administator mode and encrypt/decrypt disk volumes on a computer manually.

BestCrypt Base allows using maximum Two-Factor Authenticated protection for the client computers. In this case BestCrypt Base will ask the user to choose Boot-time password and then enter it when the computer boots.

Encryption Modes

When the administrator sets Encrypt option for the Client, BestCrypt Base starts encryption process on the client computer. BestCrypt Base on the Client may ask the user to choose Boot-Time Protection Password (or will not require that and work fully automatically) according to the Security Level set for the client in BestCrypt Base Console

When the administrator sets Decrypt option for the Client, BestCrypt Base on the client decrypts the computer automatically and not any actions from the client are required.

If the administrator sets Manage By Local User option, it means that the administrator delegates the right to encrypt or decrypt the client computer to the local user. BestCrypt Base installs BestCrypt Volume Encryption program as its client software, so the local user should become familiar with the software and run its Encrypt and Decrypt commands from the program to secure his/her computer.

Security Levels

There are 4 Security levels:

• Level 3 (maximum security). Encryption keys for the Client will be stored remotely on the Server. Besides, the user on the client computer is required to choose Boot-Time Protection Password. BestCrypt Base Client software displays the following dialog:
  
  
  
  The user will be required to enter the password at boot time to pass through BestCrypt Base Boot-Time Authentication process.
• Level 2 (middle security). Encryption keys for the Clients will be stored remotely on the Server. The user is not required to enter Boot-Time Protection Password. Since no interaction with the local user is required, the Client computer will be encrypted automatically. The user will never be asked to enter any passwords. Since all the encryption keys are stored remotely on the Server, it will be impossible to boot a Client computer if the Server is unavailable (for example, computer is stolen), or the administrator has disabled the computer in BestCrypt Base database.
• Level 1 (middle security). Encryption keys for the Client stored locally on the Client. It may be necessary for mobile computers that need to be able to work outside the network. Since no protection from the Server is possible for such computers, the user on the computer is required to choose Boot-Time Protection Password.
• Level 0 (no security). It is not recommended to use the Security Level 0 on production systems! Although the Client is encrypted, its keys are stored locally and not protected by Boot-Time Password! The Level 0 exists for evaluation purposes only and to simplify transition from evaluation to production environment.

NOTE: BestCrypt Base Administrator can change Security Level for the Client that is already encrypted. If old Security Level does not require entering Boot-Time Password (like Level 2), but new Level does, BestCrypt Base on the Client will display a dialog window like the one above to receive the password from a local user.

If the administrator changes Security Level from the one where entering Boot-Time Password is required (like Level 3) to the Level where entering the password is not required (like Level 2), BestCrypt Base will ask the user to enter the password, like the following window illustrates.

After entering the password, BestCrypt Base will not ask to enter the password at boot time anymore.

NOTE that when BestCrypt Base Client software encrypts the Client computer, it sends the encryption keys in encrypted form to BestCrypt Base Server. Besides, it also sends recovery information to the Server so that in critical situations the administrator could recover the Client.