The chapter explains why BestCrypt Volume Encryption (a line in BestCrypt family of encryption software products) has got Volume Encryption name. Many people may think that Volume Encryption is the same as Partition Encryption or even Whole Disk Encryption. Sometimes it is really so, but not always, and it is worth to learn about the difference.

The idea of Whole Disk Encryption software is rather simple. Such software works with physical hard drive and is intended to encrypt all the sectors on the hard drive. In real life software usually does not encrypt first sectors (usually 63 sectors) reserved for future use (the latest versions of Windows can use these sectors). Whole Disk Encryption software encrypts every hard drive on computer independently, often with different encryption keys.

Whole Disk Encryption

Figure 1. Whole Disk Encryption


Partition Encryption software usually works on basic disks. It is a more flexible way of encrypting data, because it allows the user to open (enter password and get access to) different encrypted partitions independently. Note that if a partition occupies the whole hard drive (as partition C: on the Figure 2 below), Partition Encryption works for the user as Whole Disk Encryption.

Partition Encryption

Figure 2. Partition Encryption


Since Windows NT, the Windows operating system has allowed users to combine several partitions (even stored on different physical hard drives) into a large single "partition" called Volume. It was a significant step forward, because these volumes allow the user to:

  • create a larger single logical unit to store files (spanned volumes);
  • store sensitive data more reliably (mirrored and RAID-5 volumes);
  • achieve higher overall performance in IO operations (striped and RAID-5 volumes).

Volume Encryption software is tailored to work with these types of volumes . However, if Volume Encryption software encrypts a volume consisting of a single partition, it will produce the same result as Partition Encryption software. Similarly, if a single partition occupies an entire hard drive, Volume Encryption will be equal both to Whole Disk Encryption and Partition Encryption. The encryption of basic partition C: in Figure 3 (below) illustrates this.

Volume Encryption

Figure 3. Volume Encryption


What kind of encryption is better? Partition Encryption software usually works on basic partitions. When implemented, it will not be able to recognize and work with dynamic disks where spanned, RAID-5 or other types of volumes reside.

With Whole Disk Encryption software, the user can encrypt each entire hard disk separately where volumes are stored (like HDD2, HDD3 and HDD4 on the picture above). However, every time a user wishes to access a volume, the corresponding drive must be opened first. If a hard drive is not opened prior to an attempt at volume access (i.e. password not entered and transparent decrypting not started), the filesystem structure of the volume can be damaged. Windows may notice that one part of the volume is consistent, but another one contains garbage and then prompt for a fix.

Volume Encryption software treats each volume as a single portion of data. A volume is always in one of the two definite states: if password is not entered, the whole volume is rendered inaccessible. Conversely, if the user enters the proper password and opens the volume, all of its parts, even those stored on different hard drives, become accessible. In our opinion, working with volumes is more organic both for the user and computer since a volume stores a complete filesystem structure and a complete tree of the user's files. It has become increasingly common for systems to be designed with individual volumes storing data scattered on a number of physical disks. It is both more convenient and safer to manage a volume rather than working with every physical drive separately.