Basic whole disk encryption functions
BestCrypt traditionally provides users the ability to encrypt volumes. With the release of 5 major version of the software, the user is now able to manage low-level security functions that are exposed by the storage devices. These functions were developed independently by different storage hardware vendors and the interfaces were standardized by a Trusted Computing Group. BCVE v5 relies on the standard called TCG Opal 2 and only supports disk drives that compliant with this standard.
A disk compliant with the TCG Opal 2 standard is usually named Self-Encrypting Drive (SED). This term will be used in this manual.
How do SEDs encrypt your data?
According to the TCG, the SED encryption process is designed to be transparent, or completely invisible to the user or system application software. From the moment the SED leaves the manufacturer and is powered on in the host system, data being written to and read from the drive is constantly being encrypted and decrypted
SEDs use an on-board cryptoprocessor to encrypt and decrypt your data. They accomplish this goal by generating a unique, randomized, symmetric data encryption key (DEK) that’s stored in the drive itself, which the drive controller then uses to convert your files into virtually indecipherable text, or ciphertext. Whenever you access your data, that same DEK is used to decrypt the ciphertext.
The drive’s DEK is a key for encrypting and decrypting the data stored on your drive. But to be fully protected from unauthorized access, it is necessary to establish a unique password which prevents decryption of the DEK. SEDs that conform to TCG’s Opal 2.0 specification, allow for this authentication.
If you have set a password, the drive becomes locked, and you’ll have to enter that key during boot to access the contents of the drive, just like you would with your software encryption and with operating system user account. And just like the passcode on your smartphone, entering too many incorrect passwords can temporarily lock the drive. Nonetheless, once your system is powered off, the drive locks automatically and remains locked until your password is entered upon boot again.
Terminology used by BestCrypt Volume Encryption
The BCVE program uses commands Encrypt/Decrypt and Mount/Dismount. Taking into account that a SED drive is always encrypted, these terms look quite irrelevant and not technically accurate. BCVE uses them to make the interface more user-friendly, because the same commands are also used for volume encryption.
Actually, the commands used in the program have the following technical meanings:
- Encrypt - Enable locking. Configure drive, set a password, start managing drive.
- Decrypt - Disable locking. Set a default password, abandon drive management.
- Dismount - Lock drive. Restrict read and write operations to the managed SED.
- Mount - Unlock drive. Allow read and write operations to the managed SED.
SED operations available for users.
The user is able to manage disk encryption via these manipulations:
Enable/disable locking the drive (Encrypt/Decrypt)
Lock/Unlock the drive (Mount/Dismount)
Run hardware compatibility test
Manage encryption passwords
Manage automount settings
Erase device encryption keys