When you encrypt a host disk (such as drive H:) with USBCrypt, it uses a portion of the host disk to create a Virtual Encrypted Disk with its own drive letter (such as drive E:). The drive E: becomes available only after you have entered a valid password. Any file you put onto the drive E: will be encrypted and decrypted on-the-fly, in the background, as necessary.

What is a Virtual Encrypted Disk?

Virtual Encrypted Disk refers to the encrypted portion of the host disk that USBCrypt creates to keep your files secure. It's a "disk" because after you've entered your password, the encrypted area appears as a separate disk, with its own drive letter, different from the drive letter of the host disk. (Yes, you can choose the drive letter to be assigned to the Virtual Encrypted Disk.) It's "virtual" because there is no actual physical disk involved there. And it's "encrypted" because, well, it's encrypted.

What is a "host drive"?

Host drive is the actual physical drive that you use to "host" the Virtual Encrypted Disk.

How exactly does it do the encryption?

Please see a special web page that we've created to provide the technical details about our implementation of the encryption and other related algorithms: http://www.winability.com/go/?usbcrypt-encryption 

Will the encrypted files be protected in the "safe mode" of Windows?

Yes, they will be protected no matter how you start Windows (in the safe mode or normally), or if someone were to remove the encrypted drive and attach it to another computer, even if another computer runs a different operating system (such as Linux). No matter what, your encrypted files will be protected until you enter the correct password. That's the power of strong encryption!

Does USBCrypt require the administrator rights?

Just like with most other software, the administrator rights are required to install USBCrypt on a computer. In addition, the administrator rights are also necessary in the following situations:

  1. To encrypt a drive for the first time and create a Virtual Encrypted Disk on it, as well as to delete the Virtual Encrypted Disk, or upgrade the USBCrypt software on it, if necessary.
  2. To use an encrypted drive on a computer that does not have USBCrypt software already installed on it.

However, to use the encrypted drives on your own computer(s) where you have already installed USBCrypt software, the administrative rights are NOT required.

Is there a limit to how many drives I can encrypt with USBCrypt?

No, there is no such a limit, provided that you only encrypt the drives that belong to you or to your organization, and you do not distribute the encrypted drives to any third party. If your friends or associates want to encrypt their own drives, please let them purchase their own copies of USBCrypt. If you have an idea for a business that involves encrypting drives for your customers, a separate license must be obtained. Please contact us to discuss the possibilities.

How do I check the encrypted drive for errors?

If you suspect something is wrong with the drive encrypted with USBCrypt, the first thing to do is check the host drive for errors:

  1. Stop the Virtual Encrypted Disk, if necessary;
  2. Open the This PC (or Computer) folder and right-click on the host drive;
  3. Choose Properties from the menu, select the Tools tab;
  4. Use the Error checking area to check the drive for errors.

You can also run the chkdsk command line utility, as with any other drive. When selecting the error checking options, you may want to choose to scan the drive for bad sectors.

After the host drive has been checked, you may want to check the Virtual Encrypted Disk for errors, too: first, start the Virtual Encrypted Disk as usual, and then use the same steps shown above, but this time right-click on the drive letter that belongs to the Virtual Encrypted Disk, rather than the host disk. It's not necessary to scan the Virtual Encrypted Disk for bad sectors, because scanning the host drive should have been sufficient for that.

Is there a "back door" in USBCrypt?

USBCrypt gives you an option to create a "back door" for your own use, it's called the spare key file. If you select this option while creating a Virtual Encrypted Disk, USBCrypt will store a special file on your computer that you can use later on as a "back door" to reset the password in case you forget it. We stress that this "back door" remains on your computer, not anywhere else. Only you (or someone who gets access to your computer) would be able to use this "back door".

There is no any other "back door" in USBCrypt. It means that if you forget your password, neither we nor anyone else will be able to help you.

I've lost USBCrypt password. What should I do?

If you've created a "spare key" file for your encrypted disk, you can use it to reset the password. Note that each encrypted disk must have a separate "spare key" created specifically for it. If you did not create the "spare key" file, then the only way to recover your password is by trying every possible combination of the password characters. Of course, if you've chosen a strong password and then forgotten it, the recovery process can take a very long time, so don't count on it as a reliable way of getting access to your encrypted files.

Will my anti-virus program protect files on the encrypted disk?

If you have not entered your password yet (and the Virtual Encrypted disk has not started) then all the files and folders it contains remain completely inaccessible to any program, including anti-virus. (The viruses cannot infect your encrypted files, either). After you've entered your password and started the Virtual Encrypted Disk, it becomes available to all programs, including anti-virus (and viruses!), just like any other regular disk. Unless you have excluded the Virtual Encrypted Disk from your anti-virus software, then it should be protected by the anti-virus, like any other disk.

Will my backup program back up the files located on the encrypted disk?

If the Virtual Encrypted Disk has not started, then you can backup the host disk, and that should backup the files of the Virtual Encrypted Disk, too. (They will remain encrypted in the backup set). If the Virtual Encrypted Disk has started, then you can backup individual files or folders that it contains, just like on a regular disk. Be aware, however, that in this case the files will be backed up in their plain, decrypted state.

How do I use Windows Backup with the encrypted drive?

Windows Backup software that comes with Windows 7 or Windows Vista is very picky about the drives to backup your files to. To make it recognize your encrypted drive as a valid backup destination, you need to choose the NTFS file system for the Virtual Encrypted Disk when encrypting the drive, and also start it as a removable drive. (You can select this option by clicking on the More Options button when starting the disk). Even then, it may not let you backup the system image to such a drive. If you must backup the system image to an encrypted drive, you may want to use some other backup software that recognizes the encrypted drives as the valid backup destinations.

How do I enter the License Key?

Run USBCrypt off the Start menu or desktop and click on the link Licensed for limited evaluation use only. This should open the About USBCrypt window. Press the Enter License Key button and enter your license information into the form.

Or, click on the question mark button in the right-top corner of the USBCrypt window, and choose the Enter License Key command from the menu, then and enter your license information into the form.

IMPORTANT: When entering your license information, make sure you enter your name, number of computers, and the license key exactly as they are shown on your license certificate, including all capitalization and punctuation. Otherwise, USBCrypt may not accept the license key or may not register your information properly. You may wish to copy and paste the name and key from our message into the form, to avoid typos.

Will I need to re-encrypt the drives I encrypted during the trial?

No, there is no need to re-encrypt the drives that you've encrypted during the trial period. After you have purchased  a license for continued use and entered your license key into the software, it will automatically upgrade your encrypted drives for the full use, with the strong password protection. (It will ask you to confirm this action next time you start the Virtual Encrypted Disk.)

What happens when the evaluation period expires?

This software comes with a built-in license that allows you to use it for free for the first 30 days after the installation. When this initial evaluation period expires, you can still run USBCrypt, but you cannot use it to encrypt any new drives. Also, you can start the previously encrypted drives in the write-protected mode only. This should allow you to extract your existing files out of the encrypted disks, but you won't be able to save the modifications back to them. The full functionality of USBCrypt is restored immediately when you purchase  a license for its continued use and enter your license key into the program.

Can I use the same license key to install USBCrypt on several computers?

Yes, you can use the same license key, provided that you are installing it on no more computers than included in your license. Please refer to the file License.txt (installed along with other files of USBCrypt) for the detailed description of the terms of using this software on more than one computer. For information on our site license and quantity discounts, please visit our Online Store .

May I give a copy of USBCrypt software to a friend?

Yes, you may give the installation files of our programs to your friends and associates. However, you may NOT share your license key, if any, with anybody else. Please remember that the license key we provide you with are for your own use only. If your friends like our programs, please let them purchase their own license keys. To avoid possible confusion, please give out the original installation files that you may download from our web site.

There are several other simple, but important conditions which we impose on further redistribution of our products. Please refer to the file License.txt in the folder where you have installed USBCrypt for the complete description of our distribution requirements.

I've upgraded USBCrypt to a newer version. Will it read the encrypted files I created with the previous version?

Yes, USBCrypt is backward-compatible: the new versions can read the files encrypted with the old versions of USBCrypt. Note that the opposite is not necessarily true: sometimes we make improvements in the new version such that they are not recognized by the older versions of USBCrypt. For example, USBCrypt version 13.x uses a new format for the Virtual Encrypted Disks, that was not in existence when the versions 10.x of USBCrypt were released. As a result, if you attempt to use a drive encrypted with USBCrypt version 13.x on a computer that has only USBCrypt version 10.x installed, such a drive may not be recognized as a valid encrypted drive and your password may not be accepted even if you've entered it correctly. A solution to such a problem is simple: install the newer version of USBCrypt on the computer and it should be able to recognize the new format of the encrypted drive and accept your password.

Why does USBCrypt ask me to update software on the host disk?

If you've installed a newer version of USBCrypt on your computer and then connected a removable drive previously encrypted with an older version, USBCrypt may display a prompt asking you for a permission to update software on the host disk. This is happening because USBCrypt puts a portable version of it onto the encrypted disk, to make you able to use the disk with other computers that don't have USBCrypt installed on them. (When you connect the encrypted drive to such a computer, you can run the portable version of USBCrypt directly off the host disk, without the need to install a separate copy of USBCrypt on that computer.)

So, when you see a prompt asking you to update software on the host disk, if you reply Yes, USBCrypt will simply replace the portable version of it on the removable disk with the new version. After that, you should not see such a prompt any more.

Why does USBCrypt ask me to adjust the security attributes of the host drive?

When you format a drive in Windows with the NTFS file system, it makes some assumptions about the intended use of the drive which may not match your actual intentions. For example, if the drive is fixed (rather than removable), Windows assumes that you are going to use the drive permanently attached to your computer. As a result, it creates the security attributes for the drive so that only your user account has the full access to it, and it restricts access to the drive for other users.

This may cause a problem in case you decide to detach the drive from your computer and attach it to some other computer, which does not have your user account on it. With the default security attributes, you would not have access to the drive on that computer and would not be able to start the Virtual Encrypted Disk off it!

To prevent such situations from happening, when encrypting a drive, USBCrypt analyses its security attributes and if it detects that they may prevent you from using the drive on other computers, it asks you to make the adjustments. If you do plan on using the drive with other computers, reply Yes to allow the adjustments, and USBCrypt will make them for you.

How does the Encrypt Empty Space option affect the security of my files?

The Encrypt Empty Space option does not affect the security of your files: they are always encrypted and protected whether this option is enabled or not. What it does is it only affects whether the empty space of the Virtual Encrypted Disk is encrypted or not, when you first create it.

This option greatly affects the speed of creation of the Virtual Encrypted Disk. If this option is selected, then USBCrypt will encrypt the empty space of the Virtual Encrypted Disk, even if it's initially not used to hold any useful information. The process of such encryption can take a rather long time, if the host drive is very large. For example, encrypting a 2TB (two terabytes or 2048 gigabytes) SATA drive connected via the SATA interface to a modern consumer-grade computer can take approximately 10 hours to complete.

However, if you clear the Encrypt empty space option, then USBCrypt will allocate the empty space from the available space of the host drive without encrypting it. Such an operation can be performed significantly faster: creating the same 2TB drive can now take less than a minute! The price for such an increase in the speed is, of course, that the empty space will not be encrypted. However, as you start adding files and folders to such a drive, they will be encrypted, as usual.

How important is it to have the empty space encrypted? It depends on whether you want the adversary to be able to deduce some aggregate information about your encrypted data. For example, by analyzing the raw sectors of data allocated on the host drive, the adversary may be able to tell which portions of your Virtual Encrypted Disk image contain encrypted data and which contain the empty space. From that, the adversary could deduce, for example, whether your encrypted drive is almost empty, or almost full. By analyzing the distribution of the encrypted sectors and the unencrypted empty sector within the Virtual Encrypted Disk image, the adversary can probably guess the type of the file system the Virtual Encrypted Disk has. However, in no case the adversary will be able to get to your actual files or folders or any information about them: they are encrypted as strong as ever, no matter whether the Encrypt empty space option was selected or not.

Ultimately, it's for you to decide whether it's acceptable for the adversary to be able to detect how much of your Virtual Encrypted Disk is empty and whether preventing that is worth sacrificing the significant increase in the speed of the creation of the Virtual Encrypted Disk.

Note that not all versions of Windows allow to clear the Encrypt empty space option for some file systems. For example, at the time of this writing, Windows XP does not allow to clear this option if the host drive is formatted with the FAT or FAT32 file system. Or, this option can't be cleared for the NTFS disks with the compression enabled. If USBCrypt detects such a condition, it disables this option to prevent you from using it when it's not supported by your computer.

Why the NTFS compression or EFS encryption should not be used with the USBCrypt files?

The NTFS file system allows one to enable the data compression and/or encryption for the files stored on it. However, neither NTFS compression nor the EFS encryption should be enabled for the files that USBCrypt uses to store the Virtual Encrypted Disk image on the host disk. The reason for that is simple:

  1. The EFS encryption would be redundant: the data stored on the NTFS host disk is already encrypted with USBCrypt. Encrypting them again with EFS would not add additional protection to your data: the encryption performed by USBCrypt is already strong enough. Therefore, enabling the EFS encryption would only create additional work for the computer CPU, slowing the process down.
  2. The usual compression methods are effective only for the highly structured or repetitive data. They are not effective for the encrypted data. Enabling the NTFS compression would waste the CPU cycles for no good reason.

For these reasons, USBCrypt disables the NTFS compression and EFS encryption for the files it uses to store the Virtual Encrypted Disk image.

I've encrypted a drive and now Windows is showing the 'Low Disk Space' balloons. Why?

If, while encrypting a drive for the first time, you've chosen the size of the Virtual Encrypted Disk to fill up all available free space of the host disk, then after the encryption is finished, very little unencrypted free space will remain on the host disk. (Because all such space will now be reserved for the encrypted files.) Windows is designed so that if it detects that the free space on any disk decreases below a certain level, it displays a notification in the form of a popup "balloon" in the taskbar notification area. If you don't want to see such notifications, you can use the Tools button on the main screen of USBCrypt to suppress them (or to restore them back later on). Unfortunately, Windows does not let one suppress the notifications for some drives and allow them for others, so if you suppress them, keep in mind that there will be no notification if the free space on some other drive (such as the main C: drive) decreases below the minimum level.

I've shared a Virtual Encrypted Disk on a network, but Windows denies access to it from other computers?

If you have started the Virtual Encrypted Disk as a removable drive, and shared that drive on your local network, then Windows may display an Access denied message when attempting to open the shared drive from another computer. If you experience this problem, try to stop the Virtual Encrypted Disk, and then start it again, but this time choose to start it as a fixed drive. (You can change the type of the drive by clicking on the More Options... button when starting the disk, on the same screen where you enter its password.) If you share the fixed drive on the network, you should be able to open it from other computers without a problem.

I'm trying to use the Create System Image command of Windows, but it shows an error?

Apparently, Windows backup program gets confused when it encounters a Virtual Encrypted Disk while searching for a disk suitable for holding the system image. Instead of silently skipping the disk that it does not quite understand, it displays an error message with the error code 0x81000036, and it does not let you select the destination disk for the system image. To work around such a problem, simply stop any Virtual Encrypted Disk that you might have previously started, and then try to use the Create System Image command of Windows again. After the command is complete, start the Virtual Encrypted Disk back.

How can I get a printed version of this guide?

This user's guide is available online in the printed-friendly format:

http://www.winability.com/usbcrypt/users-guide-printable.htm 

Open the link above in your web browser and use the web browser's Print command to print it out on your printer.


USBCrypt Administrator's Kit Copyright © 2017, WinAbility® Software Corporation. All rights reserved.