BestCrypt Volume Encryption allows the user to manage passwords for encrypted volumes in several ways. Every encrypted volume has a Master Password - it is the password the user enters when he/she encrypts the volume. The user can change the Master Password.

Besides the Master Password, the user can add several other passwords to an encrypted volume, including boot and system volumes. These additional passwords can be removed at any time. The functionality is convenient and provides more security, because an administrator can add passwords for other users to gain temporary access to encrypted data and then remove the passwords. This also saves an administrator from having to share his/her own password with other users.

NOTE: The additional password feature only allows for the mounting/dismounting of encrypted volumes. It does not allow encryption, decryption, or rescue decryption.


To add a new password select the volume in the main window of BestCrypt Volume Encryption and run the Password->Add password command.

To remove an additional password select the volume and run the Password->Remove additional password command. Note that the program requires the entry of the password to remove it.

An administrator can also remove all additional passwords by running the Password->Remove all additional passwords command. In this case, the program requires the entry of the Master Password for the encrypted volume.

To change a password select the volume and run the Password->Change master password or the Password->Change additional password command.

At this time, the software will ask the user to enter the current password for the volume. After entering a proper password, BestCrypt Volume Encryption will ask for the entry of a new password twice to verify that the user has not mistyped some letter in the new password.

Managing passwords if the encryption key is stored on a hardware token.

If the encryption key for the volume is stored on removable Smart Card or Token device, the password for the volume is also the password for the device. If you decide to change the password, you should realize that new password for the Token device must be entered in other applications that use the device as well. To change a passphrase for the Token device, use the Token management software the computer must have installed (for example, for the SafeNet eToken device it is eToken PKI Client or eToken RTE).

If the encryption key for the volume is stored on Yubikey device, then it is not possible to change password directly. To do that, the user have to restore the encryption key (move it back to the volume), delete all the keys on the Yubikey device, and move the encryption key again, typing the new password.

Since some Token devices (like eToken and Yubikey) support one only password, administrator cannot add new passwords for the encrypted volume using the Add password command. Instead, administrator can copy encryption key stored on the eToken/Yubikey to eToken/Yubikey of the other user. The other user's eToken/Yubikey has another password, so all the users will open the same encrypted volume by entering different passwords for their different devices. To copy the encryption key, use the Volume->Encryption key->Backup keys to other removable device command.


See also:

Main window

Managing Keys on Hardware Token