BestCrypt Volume Encryption software (or BCVE) allows the user to encrypt all data on existing disk partitions and disk volumes. The main window of BCVE program on Mac OS is pictured below.
When the software works as Enterprise Client managed by Jetico Central Manager, its behavior depends on the encryption policy assigned by the JCM administrator.
If the policy forces encryption, the user will be asked to enter a password twice before starting the process:
This password is considered as Master Boot Password. As soon as the encryption process is started, the user will henceforth have to enter the Master Boot Password at boot time.
For Mac computers with T2 security chip, you will be prompted to enter your user account password. This password will be used to unlock your system at boot time.
If the policy forces an encryption or decryption process, the process runs in the background with the progress displayed by BestCrypt Volume Encryption Resident panel available through the icon in the right part of the system menu:
BestCrypt Volume Encryption Resident panel shows the encryption policy currently assigned by JCM server. In the picture above, the policy is Encrypt fixed disks. Also, BestCrypt Volume Encryption Resident's menu allows to Change/Reset Master Boot Password:
NOTE: For Mac computers with T2 security chip, changing the encryption password is done by changing the user account password in System Preferences. Resetting the encryption password is done using the Recovery Key created when activating encryption and stored in JCM Server database.
A user on the client computer can stop (pause) the process, but it will be automatically resumed after a set period of time. In addition, the process will automatically resume after restarting the system.
If the policy forces an encryption or decryption process, the BCVE main window can be opened. However, most of the available functions will remain inactive. The following commands are available in this mode:
If the policy does not force encryption/decryption and is set to Manage locally, all of the standard BCVE commands are available on the client computer. The user can encrypt/decrypt volumes, change/add volumes' passwords.
As soon as the policy becomes 'Encrypt' again, the program will prompt the user to enter a boot-time password and a volume password in order to encrypt all volumes with single master password:
If volumes are encrypted with different encryption algorithms, they will not be changed. However, the computer will be considered as 'policy non-compliant' even after the encryption process is finished. The same behavior is applied in a case where the client computer was previously encrypted with the standalone version of BCVE (not managed by JCM).
To reduce the risk of losing encrypted data in the case of an emergency, BCVE always creates and updates the rescue file necessary to recover encrypted disk volumes. With Jetico Central Manager, all of the rescue information from client computers is saved securely within the JCM Database. As a result, the JCM administrator can run a recovery process on client computers encrypted by BCVE without any user's activity.
Encryption policy also includes the option for removable devices. If the policy is set to force encryption, then when inserting a non-encrypted USB drive, the user will be prompted to enter a password to encrypt the device. If the user refuses to encrypt it, access to the device will be blocked or restricted. In cases where policy does not force the encryption of removable devices, inserting an encrypted USB disk will prompt the user to decide if the device should be decrypted or not.