Main Features

BestCrypt Volume Encryption software provides the following advanced functionality:

1. Encrypting all types of volumes residing on fixed and removable disks:

I. Simple volume - a volume consisting of one disk partition.
II. Mount point - a volume mounted as a sub-folder on NTFS-formatted volume.
III. Multipartition volume - a volume consisting of several disk partitions:

a. Spanned volumes;
b. Mirrored volumes;
c. Striped volumes;
d. RAID-5 volumes.

IV. Storage Spaces originally introduced in Windows 8.

2. The software provides a whole disk encryption for TCG Opal 2.0 storage devices. The disk devices have embedded hardware-based encryption and BestCrypt Volume Encryption utilizes and manages the hardware functionality. Such TCG Opal 2.0 storage devices are also known as Self-Encrypted Disks (SED). Read article Basic whole disk encryption functions for more detail.

3. BestCrypt Volume Encryption allows encrypting data with many encryption algorithms known as strong algorithms. Every algorithm is implemented with the largest possible key size defined in the algorithm's specification:

AES (Rijndael) - 256-bit key.
ARIA - 256-bit key.
Camellia - 256-bit key.
RC6 - 256-bit key.
Serpent - 256-bit key.
Twofish - 256-bit key.

AES, ARIA and Camellia algorithms implementations are optimized to utilize CPU hardware instructions to provide the highest possible performance.

For the key management purposes the software supports the Intel Platform Trust Technology (PTT) and other fTPM technologies.

4. BestCrypt Volume Encryption utilizes XTS Encryption Mode with all of the encryption algorithms listed above. XTS Mode is specially designed for applications working at the disk sector level. It is more secure than older modes (like Cipher Block Chaining (CBC) mode) and notably faster than LRW mode.

5. BestCrypt Volume Encryption can encrypt the boot volumes, as well as the system volumes (where Windows stores its system files, including Registry, Page files and Hibernate files). Initial encryption is transparent for both running applications and Windows system modules. Initial encryption can be paused and the user can continue the process at any time (for example after turning the computer off/on).

BestCrypt Volume Encryption performs Computer Pre-Boot Authentication if system or boot volume / partition is encrypted. It means that BestCrypt Volume Encryption is loaded before the operating system and allows computer to boot only after a proper password is entered.

6. BestCrypt Volume Encryption supports computers with operating systems loaded according to the Unified Extensible Firmware Interface (UEFI) between an operating system and platform firmware. While the UEFI computer is booting up, the software provides Graphic User Interface (GUI) environment to allow international language support and virtual keyboard for ease of use.

7. BestCrypt Volume Encryption provides a way to customize Pre-Boot Authentication theme in text and graphic mode. Such a text or graphic view appears when the user is asked for password at boot time. The feature is intended for both providing a password hint and hiding the fact that pre-boot authentication process is running.

8. The software provides Two-Factor Authentication. BestCrypt Volume Encryption supports wide range of PKCS#15 compliant smart cards and crypto tokens as well as regular removable disks (like USB sticks) as a secure hardware storage for encryption keys. Trusted Platform Module (TPM) hardware can also be utilized as a second factor for authentication.

With the hardware tokens, the user gets two levels of protection for encrypted data: in addition to a password, it is necessary to connect small hardware token where encryption key is stored. Read article Encryption Keys on Hardware Token for more detail.

9. The program includes BestCrypt DataShelter utility to protect folders from unwanted processes and users. While BestCrypt Volume Encryption encrypts sectors on the disk providing strong Data-In-Rest protection, BestCrypt DataShelter provides Data-In-Use protection. The utility allows creating a protection policy that is unique for every folder, as well as using more general policies for several folders. Read article Protecting data-in-use with BestCrypt Data Shelter for more detail.

10. The software utilizes Trusted Platform Module (TPM) hardware available on many motherboards for the purpose of initiating an unattended reboot of computers with encrypted boot/system disk volumes. The feature is necessary to manage servers that are required to function around-the-clock. If such a server has an encrypted boot/system volume, every reboot of the server requires a manual password entry of password at boot. To solve this problem, the server administrator can set an interval of time when BestCrypt Volume Encryption (with the help of TPM) should support unattended reboot of the server.

11. BestCrypt Volume Encryption provides Secure Hibernating. If a user encrypts the volume where Windows stores its Hibernate File, BestCrypt Volume Encryption encrypts all write operations when Windows goes into Hibernate state and decrypts read operations when the computer wakes up. Since pre-boot authentication is necessary at wake-up, only the user who knows the proper password (and has hardware token, if used) can run a computer from Hibernate mode. Secure Hibernating is a functionality that must be implemented in such software as BestCrypt Volume Encryption, otherwise all data written at Hibernate time (together with encryption keys) appears on disk in opened decrypted form.

12. In addition to Hibernation Files, BestCrypt Volume Encryption encrypts Windows Crash Dump Files. Windows writes files in a very special way, because when a crash occurs, regular disk write operations cannot be used. Without encrypting Crash Dump Files, the security level of the software is significantly lowered, because the files can store a snapshot of memory together with encryption keys in an open, decrypted form.

13. BestCrypt Volume Encryption supports a number of rescue functions allowing the user to decrypt volumes if a serious disk crash should occur.

BestCrypt Volume Encryption suggests that users should save a rescue file to reliable disk (removable disk, for instance). The security level of a rescue file itself is not lower than that of encrypted volumes, so the only concern is the physical reliability of the media where he/she saves the file. Note that without a proper password (and hardware token, if used) no one can use a rescue file to decrypt volumes.
A rescue file can be used on any computer where an encrypted and damaged hard drive is installed and where BestCrypt Volume Encryption is also installed.
BestCrypt Volume Encryption advises and reminds the user to run a simple one-step procedure to prepare a bootable CD image or bootable USB drive with a rescue file in case the user encrypts boot / system volume. Such a bootable disk can be used if accidental damage occurs to such a volume and the booting the computer does not boot.
BestCrypt Volume Encryption recovery procedure is integrated with Windows Recovery Environment (WinRE)
Since hardware tokens usually tend to be small and plastic, they can also be lost. BestCrypt Volume Encryption offers an easy way to make a backup copy of keys stored on one token with another token. It is recommended to store the backup token in a safe place.

14. Support of earlier version of Windows and older hardware.

Together with constant improvements to the software to meet the requirements of the latest releases of Windows, we also continue to support older Windows versions (Windows XP SP3 and later) as well as earlier generation of computers with MBR boot process. We gladly continue to offer this feature set thanks to the requests and support of our loyal users.