BestCrypt: Cross-Platform Filesystem Encryption

March 2002 was a bad month for advocates of personal cryptography tools. Network Associates officially dropped support for its PGP Desktop products, easily the most popular, mature and useful suite of end-user cryptographic tools in common use. As much as I hate to admit the superiority of any commercial product over free tools, Commercial PGP, while far from perfect, seemed to have the best chance of bringing strong cryptography to the masses. The world needs good crypto, specifically user-friendly good crypto with a time- and brainpower-saving GUI, and nobody benefits from PGP Desktop's demise, particularly in the absence of compelling alternatives.

None of which is meant to in any way impugn the admirable work of Werner Koch and the GnuPG team, on whom I've heaped heartfelt accolades in earlier Paranoid Penguin columns. In fact, let me heap some more on now: GnuPG rocks [see Paranoid Penguin in the September and October 2001 issues of LJ]. It's evolved into a stable and mature application in an astoundingly short period of time and has already taken its rightful place among other essential Linux tools that are part of nearly every mainstream distribution. Geeks love GnuPG, and you should too.

Unfortunately, in a GUI-centric world, GnuPG's various front ends need to realize much more of their potential before we can realistically hope to get nontechnical users to embrace GnuPG. And without accommodating nontechnical users in this way, we can forget about bringing strong crypto to the masses, even if it's free. GnuPG has this usability issue in common with Linux as a whole (uh-oh, here comes the hate mail).

Furthermore, GnuPG addresses only part of PGP Desktop's functionality. Whereas GnuPG does match PGP Desktop's abilities in e-mail and file encryption, among other things, it doesn't do filesystem encryption, which was one of the very best things about PGP Desktop. PGPdisk (PGP's filesystem utility) made filesystem encryption simple, fast and transparent.

About the only thing it lacked was client software for Linux, which seriously impaired PGPdisk's usefulness on dual-boot systems. As a dual-boot laptop user, I always found this frustrating; any portable system must have filesystem encryption on all OSes it boots, period. Sure, I could set up an encrypted loopback filesystem on my Linux installation, but that isn't cross-platform either. It would be much better to share a single encrypted partition between both environments than to maintain two separate “vaults”.

That brings us, albeit obliquely, to the subject of this month's column, which is actually about neither PGP nor GnuPG. It's about BestCrypt, a commercial but open-source application that allows you to share encrypted volumes between Windows and Linux systems, with all the transparency, simplicity and speed of PGPdisk.

BestCrypt is a filesystem encryption utility that allows you to create, mount and manage “containers” (encrypted volumes) on your computer that look and behave like any other mounted volume but are stored as encrypted files when not in use. This protects your sensitive data from computer thieves or anyone else who achieves unauthorized access to your system.

Because BestCrypt containers are ordinary files, they can be stored on removable media, archived, e-mailed as attachments and in general, manipulated like any other file. BestCrypt containers even can be placed on network shares and mounted by remote clients (though of course only one client may mount a given container at one time).

In addition, a BestCrypt container may be mounted by either the Linux or Windows version of BestCrypt; the same file format is used by both versions, with no loss of functionality in either direction.

BestCrypt can be downloaded from Jetico, Inc.'s web site in Finland at www.jetico.com/download.htm. It's a fast site, and BestCrypt is fairly compact—the Linux version is only 160K! The Windows versions are bigger, due no doubt to the fact that they're binary distributions, whereas the Linux version is distributed as source code. (For now I'm going to focus on the Linux version, but will talk about the Windows version shortly.)

Before you attempt to install BestCrypt, make sure that you've got the source code to your kernel installed under /usr/src/linux, where /usr/src/linux is either a symbolic link to or the actual root directory of your kernel source code. If you use a stock kernel from your distribution, simply install the corresponding kernel source package (just make sure the version is the same and that /usr/src/linux points to its root). If you've never built a kernel on your system, you then need to change your working directory to /usr/src/linux and execute these commands:

make mrproper
make menuconfig  # configure the source to match
                 # your kernel
make dep

You don't actually need to build the kernel (unless you want to) by then doing make bzImage modules modules_install; the point is to build your kernel source's dependencies so that BestCrypt can compile additional kernel modules that match. (The first time I built BestCrypt on my SuSE 7.1 laptop, I forgot that I'd never compiled a kernel on that system, so BestCrypt wouldn't compile. Following the above procedure and then trying again did the trick, though.)