Print

Welcome to Smokey's Security Forums.

Guests have only limited access to the board and it's features, please consider registering to gain full access!

Registration is free and it only takes a few moments to complete.

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Jetico]

After moving encryption key to the external storage, it is possible to find out that volume is encrypted.
The volume still has some specific header that is useful for recovering purposes.

[Omnivore]

Just curious, after moving encryption key to the external storage, it is possible to find out that volume is encrypted (not wiped out with random pattern)?
In regular BC there are option "Wipe key block" after which "Container file with wiped header becomes looking as a file with random data, so it is impossible to prove that the file contains encrypted data." (from help)
So, in case of BCVE 3 moving/wiping key will have similar effect or volume still has some specific header or footprint?

[Jetico]

We thank Pepak for answering the questions, all of the answers are
correct, just few details.

3.2 If I choose image file, BCVE will create an image file, which in fact I can use with f.e. GRUB loader? Can I add this image file to my custom made bootable flash disk as boot option?

Yes. BCVE v.3 creates image file for MEMDISK boot. We recommend to read
http://www.syslinux.org/wiki/index.php/MEMDISK article for more
detailed information.

3.3 For not boot/system disc, BCVE want to format FAT/FAT32 removable disk if it was not earlier prepared as Rescue Disc or disc to store encryption keys. What exactly this mean? Can I manually prepare disc to store keys without format?

Yes, you can. To be able to boot from removable disk BCVE needs to
have it formatted with FAT or FAT32 filesystem with MBR and partition
table in 0th physical sector. In many cases removable disks are
formatted so that they have a single partition starting from 0th
physical sector. BCVE needs to format such disks to be able to boot
from them.
The same for non-system/boot disks - BCVE will format the removable disk if is is not FAT disk or if it does not contain the MBR.

The only option for convert V2 volume to V3 is to decrypt it and reencrypt? So, if I install V3 and want to have access to all functions (of course), then I have to decrypt/encrypt all volumes anyway?

Yes, to convert V2 volume to V3 you should decrypt it and then encrypt
it with V3. Please note that not all the new V3 functionality depends
on version, you may read more detail about that on
http://www.jetico.com/bcve3_web_help , article "Introduction -> New
features in version 3".

[pepak]

The only option for convert V2 volume to V3 is to decrypt it and reencrypt? So, if I install V3 and want to have access to all functions (of course), then I have to decrypt/encrypt all volumes anyway?

As far as I know, yes.

[Omnivore]

Note that some functions require V3 volumes.

The only option for convert V2 volume to V3 is to decrypt it and reencrypt? So, if I install V3 and want to have access to all functions (of course), then I have to decrypt/encrypt all volumes anyway?

[pepak]

1. Can V3 be installed over existing V2? No need to decrypt volume before? Full compatibility?

V3 can be installed over V2.
No need to decrypt volume before.

There is full backward compatibility - V3 can access V2 volumes without problems. V2 can not access V3 volumes (it didn't report any error in the pre-alpha, but it didn't show volume contents either; I asked Jetico to change the volume format so that V2 mounting V3 volumes would report an error, but I don't know whether it got implemented yet).

Note that some functions require V3 volumes.

2. License from V2 is still valid or need to update?

Valid.

3. About moving keys to external storage. Please explain a little more, if I'm correct:
3.1 If I move key from system volume, BCVE will format removable disk, make it bootable and place loader and key on it. Right?

Yes.

3.2 If I choose image file, BCVE will create an image file, which in fact I can use with f.e. GRUB loader? Can I add this image file to my custom made bootable flash disk as boot option?

Yes.

3.3 For not boot/system disc, BCVE want to format FAT/FAT32 removable disk if it was not earlier prepared as Rescue Disc or disc to store encryption keys. What exactly this mean? Can I manually prepare disc to store keys without format?

Not sure. I just let BCVE format it. When it is done, the keys are stored in one specific file; you can take this file and copy it to the root of any disk, BCVE will find it.

Note that "Move Encryption Key" requires V3 volumes.

Note also that I am not a Jetico employee. I am just a regular user, although I do have some extra experience with V3.

[Omnivore]

1. Can V3 be installed over existing V2? No need to decrypt volume before? Full compatibility?
2. License from V2 is still valid or need to update?
3. About moving keys to external storage. Please explain a little more, if I'm correct:
3.1 If I move key from system volume, BCVE will format removable disk, make it bootable and place loader and key on it. Right?
3.2 If I choose image file, BCVE will create an image file, which in fact I can use with f.e. GRUB loader? Can I add this image file to my custom made bootable flash disk as boot option?
3.3 For not boot/system disc, BCVE want to format FAT/FAT32 removable disk if it was not earlier prepared as Rescue Disc or disc to store encryption keys. What exactly this mean? Can I manually prepare disc to store keys without format?

[AYA]

One small suggestion to Jetico - add in help / website separate chapter about BestCrypt and SSD - compatibility and other FAQ.

[Smokey]

Download Jetico BestCrypt Volume Encryption 3 Beta here: http://www.jetico.com/bestcrypt-volume-encryption-3-beta/

Note: before downloading read carefully the Terms and Conditions.

[pepak]

Note: Public beta version is now available at Jetico's site.

[Jetico]

Thank you for comments. Let me clarify few moments.

Feature 5 allowing the user do not initially encrypt all sectors
on brand new disks or fill them by random data is optional. Default
setting for the initial encryption process is an "old" way when
all sectors are encrypted one-by-one.

The same for feature 6. If you do not need  "unattended reboot",
please do not set the option. But even if you are going to set it,
the program will display security warning. Please note that the feature
is strongly required by our enterprise customers who have their servers
rebooted regularly at very definite periods. Besides they have the
servers physically stored in highly protected rooms. Since Unattended
Reboot feature can be configured to work only at definite period of
time (say since 23:30 to 00:30), it will work only when Administrator
expects that. It won't work if the server reboots at other time. So
with all the precautions the option (hopefully) will be helpful in some
situations.

[pepak]

Some rather cool improvements seem to be just around the corner!

1. Earlier versions of the software required decrypting encrypted volumes before the user can reconfigure their size, location or type of software RAID.

As far as I know, this was also a problem with hardware RAID, as experienced with my 3WARE controllers (I have moved to Areca since then, but enever felt confident enough to try to change the volume configuration without decrypting first).

5. Faster initial encryption.

Please make sure this is an optional feature.

6. Secure unattended reboot. Version 3 of the software utilizes Trusted Platform Module (TPM) hardware available on many motherboards for a purpose of unattended reboot of computers with encrypted boot/system disk volume.

I may be the only one, but I don't trust the "trusted platform module". I hope that this feature will be optional, and if I don't have a TPM, it won't be available at all. Please please please do not implement a "workaround" for those who need this feature but don't have a TPM - as I commented at TrueCrypt forums, I want software I can trust - the ability to reboot and not lose access to encrypted disks breaks that trust as far as I am concerned.

7. Support of eToken Pro Java hardware from SafeNet (former Aladdin) company. Earlier versions of BCVE supported two-factors authentication with a help of eToken R2 and eToken Pro hardware. eToken Pro Java is the latest hardware designed by SafeNet company for such a purpose.

For some reason I never succeeded with getting BCVE to work with my eToken. Not that I tried very hard - I don't like the idea of the token being the ONLY factor (I would definitely want to combine it with a password).

Anyway, looking forward to the beta.

[Jetico]

We are sorry for the delayed reply. We had a problem with the connection with this forum.
Thank you for your interest in our plans. BCVE v3 (beta) will be available in January. This is the list of new features:
==================
BestCrypt Volume Encryption version 3 provides the users with more robust support of encrypted disk volumes, increased performance and more security.

1. Earlier versions of the software required decrypting encrypted volumes before the user can reconfigure their size, location or type of software RAID. Version 3 of the software adapts its internal information for encrypted volumes automatically in case of changing their configuration.

2. Two-Factor Authentication with regular removable disks (like USB sticks). With version 3 of the software the user can move encryption key to removable storage. In this case the person who wants to access encrypted volume must: 1) know password for the key; 2) have the removable disk where the key is stored.

3. Boot computers with encrypted boot/system disk volumes from network. In this case encryption keys are stored not on local computer, but on network server. It opens an additional security levels for enterprise use of the software. Since encryption keys are stored on enterprise server, access to encrypted computer will be possible only if it is connected to enterprise network.

4. Support of new set of machine instructions (AES-NI) in the latest Intel processors. As a result, speed of AES encryption module utilizing AES-NI instructions increased up to 5 times. Overall increase of speed of disk access to the encrypted volumes becomes up to 30% higher.

5. Faster initial encryption. In earlier versions of the software the user must encrypt a whole disk volume before starting to use it. If disk is large (terabytes), initial encryption process will require dozens of hours. If the disk is new and practically nothing is needed to be initially encrypted, in version 3 of BestCrypt Volume Encryption the user may run "Format and encrypt" process that will avoid long initial encryption of a whole unused disk space.

6. Secure unattended reboot. Version 3 of the software utilizes Trusted Platform Module (TPM) hardware available on many motherboards for a purpose of unattended reboot of computers with encrypted boot/system disk volume. The feature is necessary to manage servers that are required to function all around the clock. If such a server has boot/system volume encrypted, every reboot of the server requires manual entering of password at boot time. With the new feature administrator of the server can choose interval of time when BestCrypt Volume Encryption with help of TPM should support unattended reboot of the server.

7. Support of eToken Pro Java hardware from SafeNet (former Aladdin) company. Earlier versions of BCVE supported two-factors authentication with a help of eToken R2 and eToken Pro hardware. eToken Pro Java is the latest hardware designed by SafeNet company for such a purpose.

8. Convenience in mount and protection against accidental formatting. When Windows discovers inserted encrypted and not mounted volume, it asks the user to format it. As a result, encrypted volumes were accidentally formatted in not a few cases. Version 3 of the software has an option to disable Windows formatting message and, according to an additional option, suggest mounting the volume for access.

9. Disk devices with physical sector size other than 512 bytes are supported in version 3 of the software.

==============================

[pepak]

I don't think there is a beta available for download.

Some new features were hinted at in various posts in this forum. I remember (or I think I remember):
- Support for AES NI instruction set
- Support for location-independent encrypted volumes (that is, you will be able to e.g. resize a volume without having to first decrypt all volumes that are located on the disk after the resized one).
Maybe others. I recommend searching for posts made by Jetico.

[Omnivore]

Is there available for download beta or RC of BCVE v.3?
What's new will be in v.3?