Security characteristics

Encryption algorithms

BestCrypt Volume Encryption allows the user to encrypt data with a number of encryption algorithms known as strong algorithms. Every algorithm is implemented with the largest possible key size defined in the algorithm's specification:

AES (Rijndael)	256-bit key
ARIA	256-bit key
Camellia	256-bit key
RC6	256-bit key
Serpent	256-bit key
Twofish	256-bit key

Encryption mode

BestCrypt Volume Encryption utilizes XTS encryption mode with all encryption algorithms listed above. XTS mode is specially designed for applications working on disk sector level and is more secure than other popular modes used earlier (like Cipher Block Chaining (CBC) mode).

Password-based key derivation function

BestCrypt Volume Encryption stores encryption keys for user's data (Data Key) in an encrypted form. The software uses another key derived from password to encrypt the Data Key.

It is important to use a proven algorithm to derive key from password, because weak algorithms make various attacks to the password possible and even easy. BestCrypt Volume Encryption utilizes scrypt algorithm as a password-based key derivation function.

Scrypt requires intensive computational resources to derive a key from a password and it allows customizing its internal variables to make the computational efforts even harder. As a result, attacking passwords becomes a substantially more difficult task because of the long time and intense processing power required to test every password. Read more about scrypt algorithm in the RFC 7914 document.

In BestCrypt Volume Encryption parameters of the Scrypt algorithm to derive key from password are customizable. The user can choose how long the program will calculate encryption key from the password, what makes password-iterating attacks harder.

Embedded password strength estimator

To secure your data, it is important to use passwords that are difficult to guess. Utilities that can attack passwords (using a mounting dictionary attack, for example) are very powerful and it is not immediately obvious for a user to realize, how strong is the password he/she is creating.

BestCrypt Volume Encryption utilizes Zxcvbn password strength estimating algorithm at the point, when the user creates a new password to encrypt disk volumes. The user can see in the same dialog window progress indicator together with a text description of the password strength he/she is entering.

As official GitHub Zxcvbn repository states: "zxcvbn is a password strength estimator inspired by password crackers. Through pattern matching and conservative estimation, it recognizes and weighs 30k common passwords, common names and surnames according to US census data, popular English words from Wikipedia and US television and movies, and other common patterns like dates, repeats (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak."

Two-Factor user authentication

BestCrypt Volume Encryption supports hardware Token and Smart Card devices. They are small removable devices connected to the USB port and designed to store data in a secure form. While BestCrypt Volume Encryption supports the use of USB drives for this purpose, users can also store encryption keys on the Token and Smart Card devices. Regardless of a user’s hardware of choice, this type of two-factor authentication allows users to store encryption keys separate from their encrypted computers for an added level of security.

To gain access to an encrypted volume, a user must insert the device and enter an appropriate password. Encrypted data cannot be accessed without any of these Two Factors - without the password or without the removable device.

Pre-boot authentication

BestCrypt Volume Encryption allows the user to encrypt System and Boot volumes. When the user encrypts System/Boot volume, he/she must enter an appropriate password before the computer starts loading the Windows operating system. Without the password, BestCrypt Volume Encryption will not be able to transparently decrypt the disk sectors where Windows stores system files. Hence, without the password (and hardware eToken, if used) it is impossible to boot a computer where the System / Boot volume(s) are encrypted.

Protecting the data in process

The program now includes new Jetico BestCrypt Data Shelter utility to protect folders from unwanted processes and users. While BestCrypt Volume Encryption encrypts sectors on the disk providing strong data-at-rest protection, BestCrypt Data Shelter provides data-in-use protection. The utility allows creating a protection policy that is unique for every folder, as well as using more general policies for several folders.

Note that Microsoft terminology of System and Boot volumes is not so obvious: System Volume is a volume where computer starts to load operating system(s) from; Boot Volume is a volume where operating system (Windows) stores its system files.