BestCrypt Frequently Asked Questions

BestCrypt creates and supports encrypted logical disks. These BestCrypt disks are visible as regular disks with corresponding drive letters (for example, D:, K:, Z:, i.e. with any drive letter that is not used by other system devices). The data stored on a BestCrypt disk is stored in the container file. A container is a file, so it is possible to backup a container, move or copy it to other disk (CD/DVD, network, etc) and continue to access your encrypted data using BestCrypt. Any free drive letter in the system may be used to mount and to open an encrypted file-container for access. When the virtual disk is opened, you can read and write data as if it was a conventional removable disk.

Yes. An encrypted file-container is an ordinary file and you can back up and restore it like any other file on your computer.

Having CD Writer, you may use two types of disks: CD/DVD-R disks that allow writing files to disks once only, and CD/DVD-RW disks that allow multiply writing.

BestCrypt can work with both types of disks, but because of the nature of the disks, the ways of storing encrypted data on them are different.

You can write container file to CD/DVD-R disk once only and then mount the container in read-only mode. You won't be able to write new files to virtual drive which is mounted as read-only device. So we can use encrypted containers on CD/DVD-R disks in the following way.

Create container file on your *hard drive* so that its size does not exceed the size of your CD/DVD disk . Then you should mount the container and write all files you want to encrypt to the mounted virtual drive. Then (and it is important) dismount the container and burn it to CD/DVD-R disk.

To copy the container you should use a standard software for your CD Writer, i.e. copy containers as if they were usual files. Now, as soon as you insert CD/DVD disk, drive letter, corresponding to the device, will appear in BC Control Panel and you can mount containers, stored on the disk as read-only virtual drives.

As for CD/DVD-RW disks - you can create BestCrypt containers, mount and write files to them in the same way as you work with containers on hard drives. I.e. insert CD/DVD-RW disk to CD/DVD-ROM, run BC Control Panel and create container on CD/DVD-RW disk, mount it and write files to the mounted virtual drive.

Then you can mount containers stored on CD/DVD-RW disk as virtual drive with full (read/write) access. Of course, the way to write containers from hard drives (i.e. the way we use for CD/DVD-R) will work for CD/DVD-RW disks too.

Unfortunately, nothing can be done here. If you lose you password, there is no any way to decrypt your data back. This is so because of the following reasons:

a. BestCrypt products use strong encryption algorithms. There are no any known ways to break the algorithms, except the brute-force attack. But even if you can combine all computing power in the world for a brute-force attack, it will require many billions years to break a 256-bit key algorithm.

b. We didn't insert any "back (or trap) doors" to the BestCrypt software that would allow recovering the information about the password. Our government does not bind us to insert any "backdoors" to our products, and we ourselves strongly believe that only an owner of data should decide who is allowed to access it.

To help our users to answer the question about possible backdoor (and not only for that), we created a freeware document named 'BestCrypt Development Kit', you can download it from our download page. BDK contains source codes for all the encryption and hash algorithms, so you can make sure yourself if they contain any backdoors or not.

You can run any disk utility on BestCrypt drives exactly in the same way as you run the utility on other regular drives.

It is safe to run defrag utility on BestCrypt volumes, but if you are going to run the utility on the hard drive where BestCrypt containers are stored, it is strongly recommended to dismount the containers (if they are mounted) before running the utility.
Besides, if you want the container file to be defragmented like any other files, you have to disable Container Guard Utility. If it is active, it won't allow defragment utility to move parts of the container file.

BestCrypt container is an usual file for the operating system, therefore all procedures available for the files are also available for the BestCrypt containers. So, it is possible to send container as an attachment.

However, it is not a convenient way, because (1) you will have to report your password to your recipient somehow and (2) your recipient has to have the BestCrypt software installed on his/her computer.

Instead, you should use our BCArchive utility to send encrypted information via e-mail. Besides password based encryption, BCArchive supports encryption with public/secret keys and has a convenient interface for sending the archives by email : after installation of BCArchive pop-up menu for file/folder contains new command "encrypt by public key and send". Additionally, BCArchive can make self-extracting archives so that your recipient will be able to open the archive even if his/her computer has not BCArchive installed.

There are two ways of opening a container stored on a remote computer (let's consider it as a server).

1. If BestCrypt is installed on server, one can mount a container on the server (the option "Mount for all users" must be set) and then share the logical disk in network for a group of users. In this case, all users will have full access to the container, but the data transfers through network in opened form.
2. If BestCrypt is installed on user' workstation, the user can mount container, stored on remote Server. In this case, only one user can mount the container in full read/write mode. If some other user tries to mount the same container at the same time, he/she will get 'read-only' access to the container file. In this case the data transfers through network in encrypted form, BestCrypt decrypts the data on the 'client' workstation.

Every BestCrypt container is encrypted using unique randomly generated key. The key is stored inside container in encrypted form. The key is encrypted by hash value that is generated from password for the container (a hash algorithm SHA-1, SHA256, MD5 or RIPEMD-160 is used here). Hence, BestCrypt does not store password anywhere on disk - neither inside container nor at other place.

No, the feature of opening a container-file on another computer does not make BestCrypt unsafe.

What happens when you mount container, stored on remote computer? After you entered password, BC calculates hash from it, and destroy password from its buffers (software does not need to remember it anymore).

Then BC reads encrypted key from container file (doesn't matter whether the container is remote or not) and decrypt the key using the hash value.

After decrypting BC verifies that the key is suitable for the container, and destroy hash from its buffers (BC does not need it anymore).

The key is placed to low-level memory of BC driver *locally* on your computer, and uses it for further encrypt/decrypt operations on the local computer.

As you see, first: BC does not need to store password - the software just verifies if some password is suitable or not. Second - even if your container is stored on another computer, all encrypt/decrypt operations are performed on your local computer. So no one can intercept decrypted parts of the container by monitoring network connections.

Yes, in Windows password can be intercepted when you type it. At this time some virus-like residential program can intercept your password and save it on disk. To prevent this kind of attack BestCrypt contains a special utility named Keyboad Filter. When BestCrypt Keyboard Filter is active, keyboard monitoring programs get random keystrokes instead of a real password. Even if your password is "aaaaaa", it will be intercepted and replaced with a random string, and every time you enter the same "aaaaaa" passwords, intercepted string will be different.

There may be two possible configurations on your computer at the moment when you are accessing the Internet resources (when the risk of unauthorized access to your data appears):

First, if you have the BestCrypt container mounted - at this moment the BC logical drive looks like any other regular drives on your computer. For instance, all disk utilities could not find the difference between BestCrypt drives and usual hard drives. Therefore, if some Java applet loads on your computer at this moment, it potentially able to access the data located on the BestCrypt drive. You should use a firewall software for full protection.

Second, if all of your BestCrypt containers aren't mounted. In this configuration all your data stored in the encrypted container are absolutely inaccessible for viewing by any tools. Even if the BC container is stolen by hackers using network, they won't be able to decrypt the data, because of the strong encryption algorithms implemented in BestCrypt software.

Yes, we are aware of companies that provide such service. These programs (password-quessing modules) use Dictionary, or Brute-Force (or some combined) attack on BestCrypt or any other password-based software.

If someone uses a regular word, phrase, name or something else that can be in the dictionary, a guessing module will define the password quickly. All the years we work on BestCrypt, we strongly recommend people to use passwords strings as random as possible. As some theoretical papers say, a 20-letter English phrase, instead of having 20 x 8 = 160 bits of randomness, has only about 20 x 2 = 40 bits (8 bytes) of randomness. For example, the word "jtBL1@cpheR!*>" is not an English word or phrase and its randomness is much higher than in the passphrase "In God We Trust".

If your password consists of random characters, the length about 30 characters would be so secure that even far future computational power won't allow intruders to define your password. In practical life random 12 - 15-chars passwords are very strong.

BestCrypt v.8 allows users to create backup copy of container's header and to remove (wipe) the original header from container file. The copy must be stored in a safe place, for example, on a removable device. Without the header, it is absolutely impossible to access data inside the container, because the header stores encryption key for the data. And password-guessing modules are not able to attack such "headless" containers.

After publishing the Cold Boot Attacks on Encryption Keys article updated versions of BestCrypt v.8.04 and BestCrypt Volume Encryption v.1.99 were released on February 28, 2008 to prevent the attack as much as it is possible for software solution.

The article describes how RAM (Random Access Memory) can be investigated to extract encryption keys when computer is in one of the following states: normal operation, hibernate mode, sleep mode, turned off, locked by screen saver, crashed. The following functions are implemented in BestCrypt software to minimize the risk of the attack:

1. BestCrypt dismounts virtual drives upon shutdown, restart or logoff. When BestCrypt software dismounts virtual drives, it always shreds (wipes) encryption keys in memory (the functionality is available in earlier BestCrypt versions too).

2. System crash. Upon hard system failures Windows writes memory contents to crash dump file.

   BestCrypt detects system crash. Special module wipes virtual drives' encryption keys before Windows starts writing the dump file. So these keys won't appear in crash dump file.

   BestCrypt Volume Encryption (BCVE) encryption keys are processed in different way. BCVE has Secure Hibernating feature - it encrypts the contents of hibernate and crash dump files. Thus sensitive data will be encrypted on the disk.

   Note that the Hibernate and Crash Dump files are encrypted only if the boot/system partition is encrypted.

   When Windows finishes writing dump file BCVE wipes its encryption keys So it is impossible to extract the key from RAM after system crash.

3. Hibernate mode.

   When computer goes into Hibernate mode, encryption keys of BestCrypt virtual drives are stored in the hibernate file. The best solution is to encrypt boot/system partition using BestCrypt Volume Encryption.

   We strictly discourage leaving virtual drives mounted when computer goes into Hibernate mode if your boot/system partition is not encrypted.

   BestCrypt Volume Encryption's Secure Hibernate feature effectively protects encryption keys stored in hibernate file.

   After Windows completes writing hibernate file BCVE wipes all encryption keys in RAM, including encryption keys of BestCrypt virtual drives.

4. Shutdown and Restart.

   BCVE detects shutdown or restart events and wipes encryption keys after Windows finishes flushing all its cache buffers.

5. Sleep and Screen Saver Locking modes. When the computer works in these modes, BestCrypt does not dismount its virtual drives.

   BCVE must do not dismount encrypted boot/system partition because Windows actively uses it. If an adversary powers down the computer, he/she will be able to inspect RAM memory as it is described in the "Cold Boot Attacks on Encryption Keys" article.

   As a countermeasure to the attack we created "Alarm Crash Hotkey" option in BestCrypt Volume Encryption. The option allows the user to assign a hotkey combination that will force the system to crash in emergency.

   Alarm Crash Hotkey notes.

   1. Alarm Crash Hotkey works in all computer states - whether the user logged on or not, when the computer is locked by screen saver and even when computer is in sleep mode. (Regular hotkeys installed by Windows applications work only when the user is logged on.)

      The user can press the hotkey when Windows boots and the computer will be crashed. For example, the user has already entered password for boot/system partition, but threat of the attack appears when Windows is not loaded yet.

      Sure, the user could power down the computer, but only Alarm Crash Hotkey can guarantee encryption keys removal from memory.

   2. Alarm Crash Hotkey can be set/changed by Administrator only, but any person who is aware of the hotkey can press it to avoid the attack.

   Conclusion.

   To make you system protected against attack described in the Cold Boot Attacks on Encryption Keys article in practice, we would recommend the following:

   1. Encrypt boot/system partition by BestCrypt Volume Encryption.
   2. Do not leave your computer alone with encrypted data opened for access in Sleep mode or locked by Screen Saver.
   3. Set Alarm Crash Hotkey and use it in emergency case if someone attempts to power down your computer.

   In all other cases (shutdown or restarting computer, crashing Windows, hibernating), BestCrypt and BestCrypt Volume Encryption securely manage encryption keys stored in RAM.

BestCrypt version 8 supports the following operating systems:

• Windows Vista 32-bit, 64-bit
• Windows XP 32-bit, 64-bit
• Windows 2000
• Windows 2003 Server
• Windows NT version 4.0 (Workstation or Server)
• Windows 9x
• Windows ME

Windows 2000/NT/2003 Server/XP/XP x64/Vista:
Maximum size of a container is limited by the size of the volume for NTFS, 4 GBytes for FAT32, and 2 GBytes for FAT16 formatted volumes.

Windows 95/98/ME:
Maximum size of a container is 4 GBytes for FAT32 and 2 GBytes for FAT16 formatted volumes.

Old Linux distributions have 2 GB file size limit; newer distributions (RedHat 7.0+, SuSE 7.0+, Debian 3.0+) break this limit. See also BestCrypt for Linux Online Documentation.

Format of containers used in BestCrypt for Linux is compatible with containers created by v.6 (and above) of BestCrypt for Windows.

Yes, it is possible, but please remember about the limitation for Linux - the operating system does not support files larger than 2 GB (although in Windows 2000/XP/Vista it is possible to create much larger files on NTFS partitions). It means that container files should be not larger than 2 GB, if you want to use them both in Linux and Windows.

Currently BestCrypt does not provide the function for changing size of container. It is not so easy to resize container, we mean that this operation lasts long and is dangerous enough, because BestCrypt has to re-build the filesystem structures inside the container. If we insert the journalizing of this process (and other features to make the process absolutely safe) it will require a lot of a disk space - may be the space equal to the size of container.

When we compare the idea of the safe process of changing the size of container - we began to think that the most reliable, safe (and clear for user) way to change the size is to create new container and copy all needed files there. It is an obvious and the most simple way, but at the same time it looks like the most reliable way.

If "User Account Control" functionality of Vista is enabled, each process works in "user mode" or in "admin mode". Sometimes Vista asks you to confirm your admin rights, that means that the process is "elevated" to admin mode. Although you have admin rights on the computer, BestCrypt usually works in user mode. Windows Vista does not allow writing to the root folder and some system subfolders in user mode.

There are three solutions of the problem:

1. Move the container to other location (non-system subfolder) and create containers on a non-system subfolder.
2. Run BestCrypt Control Panel in administrative mode ("run as administrator").
3. Disable User Account Control in Vista Control Panel.

BestCrypt container file, like a regular drive, consists of the 512-bytes sectors. The sectors in container are accessed independently, so if some sectors become damaged, BestCrypt driver will be able to read and properly decrypt other sectors. By the way, if you get few bytes damaged on your hard drive, consequences will be the same - the operating system will mark one of 512-byte physical sector on the hard drive as a bad sector.

A problem will appear if the damage occurs in the first part of container file (header, about 4 Kb), where the encryption key is stored. Although the software performs some efforts on backing up the information, probability of the accident exists. It is like a case of damaging first part of your regular hard drive, where partition tables as well as filesystem structures are stored.

To indemnify yourself against the loss of data you should create backup copies of all your containers. Even if you make backup copy once only, part of the container where encryption key is stored will be saved, hence, risk of losing the whole container disappears.

The message 'Undefined Key Generator Error ' or "Key generator id is defined" appears in the following cases:

1. When some module in BestCrypt Key Generator has been corrupted.

2. If some older version of BestCrypt is used to open a container created with SHA-256 key generator (it is available since 7.12 version).

3. If some older version of BestCrypt is used to open a container created with KG-Ghost key generator (it is available since 8.0 version).

(Please note that containers created by an old version are always compatible with next versions, but not vice versa.)

Installation of the newest version on the computer will help to solve the problem.

Usually it is Windows Explorer, which may be responsible for the problem. It does not free some handles, even if you close all files. If you reset Explorer after closing all files, the message won't appear. You may try to close Explorer using Windows Task Manager and then start it again ("New Task" button) and then try dismounting again - just to check.

There is a way of "Force Dismount": you should create a batch file, which can be run with shortcut key. The batch file will contain a command to dismount all BC containers (or one of them).

Contents of the batch file (alarm.bat, for example) will look like:

start BestCrypt.exe CloseAll Anyway

You may create a shortcut for the file and put it on your desktop or set a Hot Key for running the batch file.

BestCrypt reports that the file is not a valid BestCrypt container, when it makes just first simple checking of signatures at first 512 bytes of the container file.

If you have a backup copy of the container's header, you should restore the header from it. Using BestCrypt v8, it is possible to do so with 'Restore header from backup copy' command. If you are running Bestcrypt version 7, you should contact Jetico Technical Support Department and we will help you to restore the container.

If you have not a backup copy of the header, it is hardly possible to restore the container. However, you should contact Technical Support Department, each of such cases are resolved individually.

You should turn off the 'READ ONLY' checkbox in 'MOUNT CONTAINER' dialog.