Introduction

Welcome to AES Drive, an easy-to-use utility that keeps files securely encrypted on disk. Your decrypted files are available at your fingertips - yet always remain encrypted on disk.

When the drive is mounted files are encrypted and decrypted transparently, allowing you to work with your files as if they were not encrypted. The full range of standard file operations are supported including create, read, update, and delete. No plaintext data ever touches the disk, all file data is stored encrypted and is only accessible while the drive is mounted.

Features

  • Files remain encrypted on disk at all times using industry standard disk encryption techniques.
  • Easily create virtual storage which behaves like a physical disk, network drive, or removable drive.
  • Support for multiple drive configurations.
  • Access files via your favorite file manager, such as Windows Explorer.
  • Supports all common directory and file operations such as move, copy, and rename.
  • Run as a Windows service or a desktop application.

WARNING: If your password is lost it cannot be recovered and your files cannot be decrypted. It is important that you choose a strong password and store it securely.

Additional Information

You will always find the latest information about AES Drive at our web site: www.callback.com. We offer free, fully-functional 30-day trials for all of our products, and our technical support staff are happy to answer any questions you may have during your evaluation.

Please direct all technical questions to support@callback.com. To help support technicians assist you as quickly as possible, please provide a detailed and accurate description of your problem, the results you expected, and the results that you received while using our product. For questions about licensing and pricing, and all other general inquiries, please contact sales@callback.com.

Thank You!

Thank you for choosing AES Drive. We realize that you have a choice among tools, and that by choosing us you are counting on us to be a key component in your business. We work around the clock to provide you with ongoing enhancements, support, and innovative products; and we will always do our best to exceed your expectations!

Running AES Drive

The application can be started directly from the application's main window or via the command line. Please take a look at the Quick Start Guide for a step-by-step introduction. Drives may be managed from the Drives tab (see Drive Management for more information).

Prerequisites

AES Drive is supported on Windows 7 and Server 2008 R2 with SHA2 code-signing updates and above. The system needs to have KB976932 (Service Pack 1 of the mentioned systems) and KB4474419 (Security Update).

Application

The buttons in the main application window or the context menu in the System Tray may be used to manage the application. To start the enabled drives, click the Start button. Once started, the options to Stop or Restart the application are enabled. Unmount all drives by clicking the Stop button.

All the configured drives will be displayed in list of drives. Click Save Changes to store changes across stopping and starting. For more information on configuring a drive please see the Drive Configuration topic.

Starting as a Windows Service

The application may also be configured to run as a Windows service. To enable running as a Windows service, navigate to the Service tab and check the Run as a Windows Service checkbox.

After doing so, you will be prompted to enter the password for each enabled drive. Following this, a drive-specific master key will be derived and stored within the registry (DPAPI encrypted). This is to ensure the drive can be mounted in the case no user is present on the machine.

Click Save Changes to save the changes. When running as a Windows service, enabling a previously disabled drive will also prompt you for the drive's password.

WARNING: When running as a Windows service, mounted drives and decrypted files will be accessible to all users on the system.

Command Line Parameters

The application may also be controlled via the command line. The command line values allow management of the application from unattended configurations such as scripts. The following command line parameters are available:

/stop Disconnects all drives and then exits the application
/start Starts the application. Drives are not automatically mounted.
/start uimin Starts the application minimized. Drives are not automatically mounted.
/currentuser Launches AES Drive using the current user's token (even if the calling program is running with administrative privileges).
/start /drive DRIVE_NAME /password DRIVE_PASSWORD Starts the application and mounts the drive with the specified password. Multiple drives may be mounted by specifying multiple /drive and /password pairs. For instance: /start /drive mydrive1 /password mypassword1 /drive mydrive2 /password mypassword2
/stop /drive DRIVE_NAME /password DRIVE_PASSWORD Disconnects specified drive. Multiple drives may be disconnected by specifying multiple pairs of flags. For instance: /stop /drive mydrive1 /password mypassword1 /drive mydrive2 /password mypassword2
/import FILE_PATH DRIVE_NAME FILE_PASSWORD [DRIVE_PASSWORD] Imports encrypted files to the specified drive. The FILE_PATH parameter can specify a path to a single encrypted file or a folder containing encrypted files. These files will be decrypted using the FILE_PASSWORD parameter. For instance: /import C:\test\myfiles1 mydrive1 myfilespassword1

Note: When running the application as a Windows service, there's no need to specify the DRIVE_PASSWORD. For more details, please refer to the 'Importing Encrypted Files' section below.

Importing Encrypted Files

The /import command line option can be used to import encrypted files in AESD format (files with the .aesd extension) that were created on another system. This is particularly useful when restoring from a backup or transferring files to a new machine. Additionally, it is important to note that this option is only necessary for use when the application is configured to run as a Windows service.

To import encrypted files when the application is running as a Windows service, the target drive must be enabled. The drive's password does not need to be specified.

When the application is not running as a Windows service, files do not need to be imported; however, the import operation is still supported. When doing so, the drive's password must be specified.

Encrypted File Details

Each file added to the drive will be encrypted then stored at the specified location in AESD format. See AESD File Format for more information.

The encrypted versions of the files (files that end with the .aesd extension) may be transferred between systems or backed up to another location. Files can be decrypted on any system as long as the correct password is entered for the drive.

Double clicking any encrypted file (files the end with the .aesd extension) will mount the appropriate drive and open an Explorer window with the decrypted file selected.

Drive Management

The Start and Stop buttons provide the basic functionality of AES Drive. Enabled drives are mounted when Start is pressed and all drives are unmounted when Stop is pressed. Start and Stop buttons can also be found in the system tray. The Restart button unmounts and subsequently mounts the currently running drives.

Press the Exit button to unmount any connected drives and stop the application. When running as a Windows Service, the Exit button will exit the graphical application and leave the service running. The service can be stopped from the application interface by clicking the Stop button or stopped manually in the Windows Service Manager.

The Drives tab is the control center for the application. Once a drive is configured it is added to the drive list. Select a drive from the drive list and click the control buttons on the right panel to change it or open it. Alternatively, right-click a particular drive and manage it from the context menu.

Working with Drives

  • The Edit... button opens the Drive Configuration window.
  • The Duplicate... button creates a new drive using the settings of the selected drive.
  • The Delete button permanently removes the drive from the drive list.
  • The Enable button designates a drive to be mounted when the Start button is pressed or the service is started.
  • The Disable button disables the drive so it cannot be mounted.
  • The Open button opens the remote folder associated with the selected drive.
  • The Connect button mounts the selected drive without affecting other drives.
  • The Disconnect button unmounts the selected drive without affecting other drives.

Configuration details about each drive are included in drive list. Click on the column headers to sort the drives by the respective category.

Drive Configuration

The drive configuration window is used to configure new drives and edit existing drives. It can be accessed by clicking the New... button in the Drives tab or clicking the Edit... button when a drive is selected in the drive list.

Please be aware that configuration changes will not take effect until you click the Save Changes button in the AES Drive toolbar, which will save the settings to the Windows registry.

Adding a Drive

  • To add a drive, click the New... button on the Drives tab of the main window.
  • Enter a name for the drive in the Drive Name field, and if needed, choose the desired drive letter. This will be the drive letter where the storage area will be mounted.
  • In the Secure Storage Location field, browse to an empty folder on disk where the encrypted files should be stored.
  • Optional Settings:

    • Read-Only Mode can be checked to indicate the storage should be mounted as a read-only device.
    • Open Folder On Mount specifies which folder to open in Explorer when the drive is mounted (if any).

After clicking OK the drive will be added to the drive list. Use the Advanced Settings to set additional configuration settings at the drive level and at the global level.

Changing Passwords

Changing the password for a drive can be accomplished in the Edit Drive dialog. From the Drives tab select a drive and press the Edit... button. In the Edit Drive dialog press the Change button next to the password field.

After providing the current and new passwords the change password operation will begin immediately. Changing the password requires all encrypted files to be updated on disk and may take some time depending on the number of files (the size of the encrypted files is not a factor).

It is important to let the change password operation finish. If the process is interrupted some files will be encrypted with the old password and some files will be encrypted with the new password and manual intervention will be required to recover and sort the file data.

Import and Export

AES Drive offers convenient ways to migrate application settings from one system to another. Please note that this migration pertains exclusively to your client settings and does not involve transferring the contents of the virtual drive.

Exporting Settings

To export your settings, follow these steps:

  1. Navigate to the Settings tab within the application.
  2. Click the Export link to initiate the settings export process.
  3. Specify the location and filename where settings will be saved. By default, the settings will be stored in INI file format.

Importing Settings

To import settings from an existing file, follow these steps:

  1. Navigate to the Settings tab within the application.
  2. click Import link to start the import process.
  3. Specify the filename of the .ini file you want to load your settings from.

Note on Sensitive Information

Sensitive fields such as passwords will be decrypted as part of the export process and stored in plaintext in the .ini file.

Additional Configuration

The Settings tab of the defines application-wide settings. Settings such as log settings, session expiration time, etc. are controlled here.

Advanced settings are available through the Windows Registry which allow setting infrequently used values.

Settings

The Settings tab is used to configure application-wide settings. Please note that configuration changes will not take effect until you click the Save Changes button in the AES Drive toolbar. Options specific to Drives are configured via the Drives tab.

Logging Options

These options can be used to configure the application's logging features.

  • Write Log to a File checkbox defines whether logs are written to a file. By default logs are not written to a file and are only available in the Service tab.
  • Log Mode defines the verbosity of the logs generated by the application. The following Log Mode values are supported:
    • Off - Nothing will be logged.
    • Error - Only errors will be logged.
    • Warning - Additional warning information will be logged.
    • Info - General information about the status of the connection will be logged.
    • Verbose - Logs additional information about the connection and detailed protocol information.
    • Debug - Logs detailed debug information, including raw data.
  • Log Rotation is available when logging to a file. The logs may be rotated after a specified number of days, and the application can also be configured to automatically delete log files older than a specified number of days. When a log is rotated the existing log file will be renamed to include the last date for which the log applies. For instance myfile.log may be renamed to myfile-2020-07-15.log. The date portion of the rotated log name is in the format yyyy-MM-dd.

Session Settings

The Session Expiration Time setting optionally specifies an inactivity timeout in minutes. When set, if no activity is detected for the specified number of minutes the application will display a prompt to ask whether to keep the drive mounted. If the session is not extended within sixty seconds the drive will be unmounted.

Advanced Settings

Advanced options for AES Drive are stored in the Windows registry in HKEY_LOCAL_MACHINE\SOFTWARE\callback\AESDrive\24. This registry key holds settings that are available for AES Drive globally. Sub-keys at this path hold settings for individual drives.

The following keys hold configuration information:

Registry KeyApplicable Settings
HKEY_LOCAL_MACHINE\SOFTWARE\callback\AESDrive\24Global settings for the application.
HKEY_LOCAL_MACHINE\SOFTWARE\callback\AESDrive\24\DrivesDrives holds drive specific settings.

The following values can be configured within the root HKEY_LOCAL_MACHINE\SOFTWARE\callback\AESDrive\24 registry key:

NameTypeDescription
DeleteLogDaysDWORDSpecifies the number of days that log files will remain before being deleted. Only applies if RotateLogDays is greater than 0. If set to 0, old logs will not be deleted.
ForceFileCloseDWORD

Specifies whether to force the closure and subsequent update of the encrypted file on disk after the last handle to the file is closed. In general the application will update the header of the encrypted file on disk when the file is closed.

In some cases the system may not close the file immediately after the last handle is closed which results in the file on disk not being updated in a timely manner. This setting forces the closure of the file after the last handle is released. Possible values are:

  • 0 - Not Enabled
  • 1 - Enabled (default)
LogFileStringContains the path to the log file.
LogModeDWORDDetermines the level of logging:
  • 0 - Off. Nothing will be logged.
  • 1 - Error. Only errors in AES Drive's operation will be logged.
  • 2 - Warning. Additional warning information will be logged.
  • 3 - Info. General information about the status of the connection will be logged.
  • 4 - Verbose. Logs additional information about the connection and detailed protocol information.
  • 5 - Debug. Logs detailed debug information.
  • 6 - Debug2. Additional debug information. CAUTION: This generates a very large amount of data.
LogToFileDWORDDetermines whether or not the log will be written to a file. The file itself is specified by LogFile.
  • 0 - The log will only be written to the Log window on the Service tab. (default)
  • 1 - The log will also be saved to a file.
MaxLogLinesDWORDDetermines the maximum number of lines that will be stored in the Log window in the Service tab.
MountTimeoutDWORDDetermines how long (in seconds) AES Drive will wait for Windows to mount a drive without reporting an error. The default is 20 seconds when this value is not present in the registry.
PromptForRegPermissionsDWORDDetermines if AES Drive will ask for registry permissions if it does not have them when it tries to write to the registry.
  • 0 - AES Drive will not ask for registry permissions, instead bringing up a UAC dialog for one-time access.
  • 1 - AES Drive will ask to be granted registry permissions. If granted, UAC access will not be required in the future. (default)
RotateLogDaysDWORDSpecifies how many days AES Drive will use a log file before rotating to a new log file. If set to 0, the log file will never rotate.
ShowDotFilesDWORDDetermines whether files that start with a dot or period (.) are returned in a directory listing.
  • 0 - Dot files are not returned, so they are not displayed in explorer.
  • 1 - Dot files are returned in the directory listing (default).
HideDotFilesDWORDDetermines whether files that start with a dot or period (.) are marked as hidden when returned in a directory listing.
  • 0 - Do not hide dot files (default).
  • 1 - Any dot files will be marked with the hidden attribute.
IgnoredDirsStringSpecifies a comma-separated list of folders should be ignored by the virtual drive. Each folder included on the list cannot be created on the virtual drive and will not be returned in directory listings. Please specify the folder relative to the root of the drive.

Note: Use with caution. When the system asks us to create these folders we will respond with SYSERR_CANNOT_MAKE. Applications or system components that rely on these filesystem operations may start to behave unexpectedly.

  • "" - Nothing is ignored (default).
  • "\$RECYCLE.BIN" - Prevents the system from creating a recycle bin folder.

IgnoredFilesString

Specifies a comma-separated list of files to ignore requests for. Windows may make frequent, informational requests for files that it needs such as desktop.ini. If the request being made by the operating system is for one of the files in this list, the request will not be made to the S3 provider.

For each file on this list, we will service the system's request without performing the operation against remote storage. We respond by telling the system the file does not exist for simplicity.

  • "autorun.inf,bootmgr,bootnxt,hiberfil.sys,pagefile.sys,desktop.ini,thumbs.db" (default).

UseMetadataCacheDWORDSpecifies whether AES Drive will use caching for file metadata and directory enumeration entries. Disabling will cause AES Drive to re-download this information when it is requested by Windows and will slow performance.
  • 0 - No cache
  • 1 - Use caching (default)
OtherAllowedFilesString

When a new drive is created AES Drive will first check the contents of the specified secure storage location folder on disk to make sure it is empty or only contains encrypted files. If unencrypted files are found in the specified folder the application will not allow the location to be used.

This setting specifies a comma separated list of unencrypted files that are allowed and will not be considered when determining whether the folder is suitable for secure storage. The default value is autorun.inf,bootmgr,bootnxt,hiberfil.sys,pagefile.sys,desktop.ini,thumbs.db

SessionExpirationTimeDWORDControls the number of minutes the drive is mounted before requiring a password prompt. The default value is 0 (no expiration).

Drives

The following values can be configured independently for each drive, at HKEY_LOCAL_MACHINE\SOFTWARE\callback\AESDrive\24\Drives\{Drive Name}:

NameTypeDescription
DriveLetterStringContains the drive letter where the drive will be mounted (e.g. "Z:").
DriveNameStringContains the name that will be displayed for the drive.
DriveTypeDWORDDetermines the type of drive that will be mounted:
  • 0 - Network Drive
  • 1 - Local Disk (default)
  • 2 - Removable Disk
EnabledDWORDDetermines whether or not the drive will be mounted when AES Drive is started.
  • 0 - Disabled
  • 1 - Enabled
IndexDWORDThe position of the drive in the list of drives.
OpenRemoteFolderDWORDDetermines whether or not AES Drive will automatically open a folder after mounting the drive.
  • 0 - Disabled
  • 1 - Enabled
OpenSpecifiedFolderStringContains the folder that AES Drive will open if OpenRemoteFolder is enabled.
ReadOnlyDWORDDetermines whether or not AES Drive will mount the drive in read-only mode.
  • 0 - Disabled (default)
  • 1 - Enabled
CaseSensitiveNamesDWORDEnabling this setting will turn on case-sensitive mode in the virtual drive. The drive will advertise to Windows that it is sensitive to filename casing. This will allow some applications to work with files on the drive in a case-sensitive manner. Please keep reading for more information.

Windows treats file and directory names as case-insensitive. FOO.txt and foo.txt are treated as equivalent files. Although there are mechanisms to configure case-sensitivity in Windows, some applications may still make the assumption that the file system is case-insensitive. It is not uncommon for applications to transform filenames to use all upper or lower case. Please see the Microsoft Documentation for more information.

It is required for user-mode code of Windows to set the obcasesensitive setting to 0, in order to perform operations in a case-sensitive manner. Despite this setting, applications may assume the file system is case-insensitive. There is not a magic bullet to turn everything into case-sensitive. Applications may stop working in unexpected places.

By default, the virtual drive will advertise to Windows that is case preserving while it remains mounted. If the drive is started and then stopped and started again, you may see the case preserving is not persistent. For performance reasons we do not perform extra search operations to ensure the persistence of case preserving across stopping and starting the drive.

  • 0 - Disabled (default)
  • 1 - Enable case-sensitive mode

ObscureFilenameDWORDWhether AES Drive will encode the filename in the storage location. Warning: If this setting is turned off, the files at the storage location will have their filenames preserved.
  • 0 - Disabled (default)
  • 1 - Base64 Encoded Filenames
  • 2 - ChaCha20 Encrypted Filenames

Note: This setting must be specified after the drive has been created but before files and folders have been added to the drive. If this value is changed any previously created files and folders will not be visible.

LocationStringContains the path to the directory where the encrypted files will be stored.
PasswordVerifierStringContains a hex string composed of a PBKDF2 derived key concatenated with a 16-byte random salt. It is used to verify the password is entered correctly when starting the drive.
SaltStringContains a hex string consisting of the 16-byte global salt. This value is used as part of the encryption process for files stored in the drive. For more details please see AESD File Format

Drive Accessibility

Drives are only accessible by the user who started the application. Drives are not shared among users on the machine. If a Windows user attempts to access a drive which was mounted by AES Drive running under a different user's session the operation will fail with an error.

Note: If AES Drive mounts a drive while running with administrative privileges then the mounted drive will only be visible from applications running with administrative privileges. It will not be visible to any processes which are not running as administrator (such as Explorer).

Isolated Mode

Isolated mode ensures that each Windows user has their own settings independent of other users on the system. In AES Drive, Isolated Mode is always enabled. Isolated Mode governs the location in the registry where the configuration is read. All configuration is read from the HKEY_CURRENT_USER hive, and is completely separate for each local user account. As a result, each local Windows user will be able to manage their own drive list and application settings. The user's list of drives and application settings will persist across logging in and logging out.

Isolated Mode does not impact drive accessibility, which is detailed in the Drive Accessibility section.

Troubleshooting

If you are having problems with AES Drive, our support team is here to help. Visit https://www.callback.com/support/submit.aspx to submit a ticket. Please be as detailed as possible about your issue. It is also helpful if you generate and send a log file to support@callback.com.

How to Generate a Log File

  1. Navigate to the Settings tab.
  2. Enable Write Log to a File and specify a local file.
  3. Increase the Log Mode.
  4. Click the Save Changes button.
  5. Reproduce the issue.
  6. Click the Stop button.

Note that the length of time it takes for any operation is increased when Debug logging is enabled. The amount of data logged with this option enabled is substantial. We recommend enabling these settings for debugging purposes only.

Common Issues

Below you will find a list of common issues reported by our customers that you may find useful in troubleshooting a problem.

The Run as a Windows Service checkbox is enabled but drives are not connected upon startup.

All enabled drives should be connected automatically when the machine turns on, but there can be external factors which can cause this to fail. For instance, the system resources are not ready, the machine is multi-homed, policy of anti-virus software, etc.

When troubleshooting behavior with automatic start first ensure that the startup type is set to Automatic (Delayed Start) by opening the Service Control Manager, right-click the AES Drive service, and open the service properties.

If you have VPN software installed or the machine is multi-homed, then use Advanced Settings to configure the LocalHost setting in the registry. This setting should be set to the IP address of the network interface to use when connecting.

If neither suggestions help please gather an event log from the system which is failing and send it to us for analysis. This can be done by opening the Event Viewer, expand Windows Logs, then save the Application and System logs by right-click and Save All Events As....

Copying certain files causes a prompt specifying "The file XXX has properties that can't be copied to the new location"

The virtual drive created by AES Drive is of type exFAT. Certain NTFS specific functionality such as alternate data streams are not currently supported and may result in the warning above. Choosing to proceed with the operation when prompted by Windows is safe and does not affect the file content.

AESD File Format

The AESD file format used by AES Drive is documented below in detail. All algorithms used by AES Drive are standards and publicly documented.

Each encrypted file consists of a header and the encrypted contents. The header is 144 bytes in length and contains the AESD file format version, a checksum of the header bytes, and the encrypted file-specific key and padding length. The original file data is encrypted using XTS-AES with file-specific keys that are derived from a master key for the drive.

4 bytes [0-3] AESD. This is a file signature value which indicates the file is associated with the AES Drive application.
1 byte [4] 0x00. This is the file format version. The only supported value is 0.
2 bytes [5-6] Build number of the application used to create the file. These two bytes represent a 16-bit integer holding the build number of AES Drive that created the file. This field is informational only. Byte 5 holds the high-order bits and byte 6 holds the low-order bits. To decode these bytes into the build number the following code may be used: int buildNumber = headerBytes[5] << 8 | headerBytes[6];
5 bytes [7-11] 0x00. Reserved for future use.
4 bytes [12-15] CRC32 checksum. The CRC32 checksum is calculated by first replacing these 4 bytes with 0x00 then computing the checksum over the 144 byte header. The resulting numeric value is converted into 4 bytes using the operation:

byte[] CRC32Bytes = new byte[4]; for (int i = 0; i < 4; i++) CRC32Bytes[i] = (byte)((CRC32Bytes >> (24 - 8 * i)) & 0xff);

16 bytes [16-31] Global salt value. The global salt value is a random value created when the drive is created and used when encrypting newly created files within the drive. It is used when deriving the key to decrypt the encrypted header portion. See the section below for details about the encrypted header portion.
16 bytes [32-47] File-specific salt value. The file-specific salt value is a random value created when the file is created. It is used when deriving the key to decrypt the encrypted header portion. See the section below for details about the encrypted header portion.
80 bytes [48-127] AES-GCM encrypted header portion. The steps to derive the key to decrypt the encrypted header portion are as follows:
  • First use PBKDF2 with the following settings:
    • HMACSHA512 algorithm
    • 50,000 iterations
    • Salt is the 16 byte global salt value read from the header
    • Password is the original encryption password
    • Derived key length of 32 bytes
  • Combine the 16 byte file-specific salt with the 32 byte derived key to obtain a byte array of length 48. The first 16 bytes are the file-specific salt read from the file header. The last 32 bytes are the value derived from the PBKDF process above.
  • Compute the SHA512 hash over the 48 byte value from the above step.
  • The first 32 bytes of the hashed bytes are the AES-GCM key. The next 12 bytes are the AES-GCM IV. The remaining 20 bytes are unused.

The derived Key and IV are used together with the AES-GCM Auth Tag which are the last 16 bytes of the 144 byte header to AES-GCM decrypt the 80 byte encrypted header portion. The decrypted header portion contains:

2 bytes Padding length. The padding length is represented in Big Endian and may be converted from bytes to an integer using the following operation: PaddingLen = (decryptedHeaderBytes[0] << 8) + decryptedHeaderBytes[1];
14 bytes 0x00. Reserved. These bytes are all defined as 0x00.
64 bytes File-specific XTS-AES 256 encryption keys.

16 bytes [128-143] AES-GCM auth tag. This auth tag is used when decrypting the previous 80 byte encrypted header portion.
nn bytes The XTS-AES 256 encrypted file content. The data unit size is 512 bytes. The first 32 bytes of the file-specific encryption key from the decrypted header is the first key. The last 32 bytes of the file-specific encryption key from the decrypted header is the second key. Because each data unit must equal 512 bytes, the last plaintext block of data may be padded with null bytes (0x00) as needed to reach 512 bytes in length. The padding length is encrypted and stored in the encrypted header portion. When decrypting the padding is removed.