Using BestCrypt Volume Encryption

Encrypting and Decrypting Volumes

BestCrypt Volume Encryption allows the user to permanently encrypt a whole volume. After encrypting a volume the software transparently decrypts data from the volume when applications read the volume and transparently encrypts data when it is written to the volume.

To encrypt a volume, select it in BestCrypt Volume Encryption main window first. Then run the Encrypt command. The command can be run by clicking the Encrypt button in the program toolbar or by running the Encryption -> Encrypt command from context menu for the volume selected in the left pane of the program window.

After running the Encrypt command the following window will appear:

Select encryption algorithm to encrypt the volume in the Algorithm combo box. Read more information about available algorithms in Encryption Algorithms article.

Enter password for the disk volume twice in Password and Confirm password edit boxes to be sure that you typed the password correctly. After entering passwords click OK to encrypt the volume or Cancel to cancel the volume encrypt operation.

Encrypting is a time-consuming operation. You can close BestCrypt Volume Encryption, since quitting the application does not stop the permanent encrypting (or decrypting) operation. Process will run in background and you can view the current status of the operation in Volumes Panel in BestCrypt Volume Encryption Resident module.

To suspend the permanent encrypting (or decrypting) process click the Stop button on the Toolbar. You can continue encrypting process at any time you prefer, for example, after turning off a computer and running it again after several days. To continue the process just select the volume and run the Encrypt command again.

To decrypt the volume click Decrypt on the Toolbar. You will need to enter appropriate password to start the decrypting process.

NOTE: When encrypting/decrypting System volume, if you need to Restart/Shutdown the computer, it is strongly recommended to Stop the encryption process first. If you shutdown the computer without stopping the process, Rescue information won't be saved.

Mounting and Unmounting Volumes

When the user has permanently encrypted a volume, BestCrypt Volume Encryption software transparently decrypts all the data when reading from the volume if it is opened for access. In terms of BestCrypt Volume Encryption software, encrypted volume is opened for access if it is mounted.

To mount encrypted volume, select the volume in main window of BestCrypt Volume Encryption and run Mount command. The software will ask you to enter password for the volume. After entering a proper password, the data will become available for the user.

To close the access, run Unmount command. For removable devices, this command works in the same way as standard 'Eject' command in Finder.

System Volume

BestCrypt Volume Encryption allows encrypting the System volume. System volume is the disk volume where the operating system files necessary to boot operating system are stored. When the System volume is encrypted, it appears in the program window as the following:

If you encrypt the System volume, BestCrypt Volume Encryption must mount the volume at very early stage of booting operating system. In fact, the first code your computer runs is BestCrypt Volume Encryption passphrase request procedure.

NOTE: For Mac computers with T2 security chip, system encryption is used with encryption algorithm defaulting to AES-256-XTS. When activating the encryption, you will be prompted to enter your user account password. This password will be used to unlock your system at boot time.

Managing Passwords

BestCrypt Volume Encryption allows the user to manage passwords for encrypted volumes in several ways. Every encrypted volume has a Master Password - it is the password the user enters when he/she encrypts the volume. The user can change the Master Password.

Besides of the Master Password, the user can add several other passwords to an encrypted volume, including boot and system volumes. These additional passwords can be removed at any time. The functionality is convenient and provides more security, because an administrator can add passwords for other users to gain temporary access to encrypted data and then remove the passwords. This also saves an administrator from having to share his/her own password with other users.

BestCrypt Volume Encryption allows the user to perform the following operations with passwords:

The commands are available in Volume -> Password menu (or in right-click menu of the selected volume):

NOTE: For Mac computers with T2 security chip, only changing the password is possible. This must be done by changing the user account password in System Preferences.

Mount at Boot Time option

If the System volume is encrypted, you can enable option Mount at Boot Time for other encrypted volumes. When the user checks the option, the program mounts the volume when the computer starts booting the operating system.

The option is available in Volume -> Mounting menu (or in right-click menu of the selected volume). To enable the option, you will be prompted for password for the selected volume and password for the System volume (additional passwords are accepted as well). After the option is enabled, the volume will be automatically mounted at system boot time.

NOTE: This option is not available for removable drives. For Mac computers with T2 security chip, it is available only for apfs volumes.

See also:

Encryption Algorithms
User Interface
Rescue Procedure
Strong Password Guidelines
Windows Compatibility and Transition Notes