BestCrypt Volume Encryption on Windows Client Computers
BestCrypt Volume Encryption software (or BCVE) allows the user to encrypt all data on existing disk partitions and disk volumes. This includes both basic and dynamic disk volumes as well as boot/system partitions. The main window of BCVE program is pictured below.
When the software works as Enterprise Client managed by Jetico Central Manager, its behavior depends on the encryption policy assigned by the JCM administrator. If the policy forces encryption, the user will be asked to enter a password twice before starting the process. As soon as the encryption process is started, the user will henceforth have to enter the password at boot time.
If the policy forces an encryption or decryption process, the process runs in the background with the progress displayed:
A user on the client computer can stop (pause) the process, but it will be automatically resumed after a set period of time. In addition, the process will automatically resume after restarting or hibernating the system.
If the policy forces an encryption or decryption process, the BCVE main window can be opened. However, most of the available functions will remain inactive. The following commands are available in this mode:
- Mount/Dismount (Volume menu) - this command mounts or unmounts an encrypted volume.
- Decrypt with Rescue File (Rescue menu) - this command is used in case if the volume is damaged and the standard Decrypt operation does not work. Note: this command is available for unmounted volumes.
- Recover/Change Boot Password (Rescue menu) - this command changes the master password or resets it using the Administrator password generated by JCM Server. In both cases, the corresponding message will be sent to JCM Server.
- Manage Boot Passwords (Volume menu) - this command allows the user to change/add/remove additional boot passwords.
If the policy does not force encryption/decryption and is set to Manage locally, all of the standard BCVE commands are available on the client computer. The user can encrypt/decrypt volumes, as well as change various settings. As soon as the policy becomes 'Encrypt' again, the program will prompt the user to enter a boot-time password and a volume password in order to encrypt all volumes with single master password:
If volumes are encrypted with different encryption algorithms, they will not be changed. However, the computer will be considered as 'policy non-compliant' even after the encryption process is finished. The same behavior is applied in a case where the client computer was previously encrypted with the standalone version of BCVE (not managed by JCM).
To reduce the risk of losing encrypted data in the case of an emergency, BCVE always creates and updates the rescue file necessary to recover encrypted disk volumes. With Jetico Central Manager, all of the rescue information from client computers is saved securely within the JCM Database. As a result, the JCM administrator can run a recovery process on client computers encrypted by BCVE without any user's activity.
Encryption policy also includes the option for removable devices. If the policy is set to force encryption, then when inserting a non-encrypted USB drive, the user will be prompted to enter a password to encrypt the device. If the user refuses to encrypt it, access to the device will be blocked or restricted. In cases where policy does not force the encryption of removable devices, inserting an encrypted USB disk will prompt the user to decide if the device should be decrypted or not.
See also: