Skip to main content

Register Escrow User Account

In this section
  • How to register an escrow user account.
  • Manage escrow permissions.
  • Key escrow principles.

Prerequisites

Access Level:

Escrow User, Super-admin

Permission Requirements

  • None.

Register an Escrow User Account

To create an escrow user account in tiCrypt, follow these steps:

  1. Open Connect Application.
  2. Select your deployment card.
  3. In the login window, select the Escrow category.
  4. Click the Create new escrow account button in the center.
  5. Select the escrow group assigned to you by your admin.
  6. Click Continue to account information.
  7. Enter your first and last name along with your email address.
  8. Click Continue to password.
  9. Next, enter your password twice to confirm.
  10. Click Continue to optional information.
  11. Enter your optional department and position.
  12. Click Review account.
  13. Review your information and click on the field you want to update.
  14. Once you update the field, click the Return to review button.
  15. Click Finish registration to proceed.
  16. Select the folder for your public-private key pair and click Save.
  17. Click the Redownload CSR or private key button to re-download the keys.
  18. Click Continue to escrow.
  19. Wait for the Site-Key Admin to activate your account.
  20. Once active, click Load key on the login page.
  21. Open the key file that you saved locally.
  22. Enter your account password.
  23. Click Login.
tip

Ensure you know which escrow group you belong to before creating an escrow user account.

Confirmations, Errors & Solutions
View More
Create Escrow Group Confirmation

Created request for new escrow group "name-of-the-escrow-group".

Export Certificates Confirmation

Exported total-number certificates to signed-certificates.json.

Escrow Account Registration Confirmation

Encryption successful, downloading key and registration request...

Unknown Escrow Groups

If you are unsure which group to register for, please contact the system administrator before continuing.

Contact Your System Admin

Your institution provides you with your admin contact details. Ask your admin which escrow group your will register for before creating an escrow account.

Unselected Escrow Groups

You must select a group.

Select Existing Escrow Group

Select an existing escrow group from the arrow list then click Continue to account information.

Invalid First or Last Name

May only contain alphabetic characters, apostrophes, and spaces.

Re-enter First or Last Name

Your first or last name contains numbers. You must re-enter your first and last name using only alphabetic characters, apostrophes and spaces.

No Entered Email

You must enter an email.

Enter Your Institution Email

Enter your institution email in the blank field.

Invalid Email

Must be a vaild email.

Re-enter Email in the Correct Format

Use @ for email to match the input requirements and institution format.

Password Too Weak

Add another word or two. Uncommon words are better.

Re-type a Stronger Password

You must enter a stronger passwords to pass minimum requirements upon registering a new escrow account.

Unmatched Passwords

Passwords do not match.

Re-enter Passwords

Re-enter the exact same passwords in Password field and Confirm Password field.

Invalid Characters in Optional Department and Position

May not contain any of / \ | : ? * < > { } or NUL.

Re-enter Optional Department and Position in the Correct Format

Use only alphabetic characters and spaces in the Department and Position fields. Do not use special characters.

Failed to Load Escrow Groups

Failed to load Escrow groups: No escrow public key with ID private-key-string-id.

Contact Your System Admin

The system does not recognize you as part of the escrow group. You must contact your system administrator to add you to the escrow group or re-register your escrow account.

Failed to Load Regular Users With Escrowed Keys

Failed to load regular users with escrowed keys: Error: No escrow public key with ID your-public-key-string-id.

Contact Your System Admin

The system cannot read your escrow public key. You must contact your system administrator to review your registration details or re-register your escrow account.

Failed to Share All Key Parts with an Escrow Group Member

You are not in any group.

Ask System Admin to Add You to an Escrow Group

The system does not allow you to share your key parts alone. Ask your system admin to add you to an existing escrow group before performing any escrow actions.

Delegate Escrow Permissions

To delegate escrow permissions to an admin, follow these steps:

  1. Login to your user account with admin or super-admin role.
  2. Go to Management icon in the top left panel.
  3. Select Users section.
  4. Select Users.
  5. Find and select the user with admin role you wish to delegate escrow permissions.
  6. Click the Open Full Menu three-dot button in the top right panel.
  7. Next, select Open Overlay.
  8. In the overlay, select Profile & Permissions card in the left panel.
  9. Go to the sections Basic Key Escrow and Key Esrow Administration.
  10. Select the following permissions as needed:
  • Escrow own key
  • Check if own key is escrowed
  • View all escrowed keys in the system
  • List escrow recovery key
  • Delete escrowed keys
  • View escrowed keys
  • View Escrow groups
  • View Escrow users
  • Escrow public key
  • View history of all Sitekey-authorized Escrow actions
  1. Once done, click Save in the top right panel.
warning

The Delete escrowed keys action should only be performed by Super-Admins.

caution

Only users with Admin or Super-Admin roles should manage escrow permissions.

Key Escrow in tiCrypt

tiCrypt employs a comprehensive security model where all resources are encrypted using AES-256 encryption, complemented by public-key cryptography for key management. Each user possesses a private key to decrypt their specific encryption key. If a user's key is lost or withheld, the data becomes irretrievable due to the encryption.

To address potential key loss or legal requirements for data access, tiCrypt integrates a key escrow system that enables the recovery of user private keys, thereby restoring data access. The following points outline the principles and structure of tiCrypt's key escrow system.

Design Principles

  • Cryptographic Security: Utilization of encryption and digital signatures is prioritized over access control lists.
  • Separation of Duties: Key recovery processes require multiple authorized individuals to prevent unauthorized access if a user's credentials are compromised.
  • Limited Administrator Role: System and tiCrypt administrators have minimal involvement in key recovery to enhance backend security.

Roles in Key Escrow

  • Escrow Users: Perform tasks like sharing key segments and recovering keys. They require all parts of a key to initiate recovery.
  • Site-Key Administrator: Assigns and organizes escrow user roles into groups.
  • tiCrypt Administrators: Execute the escrow process as authorized by the site-key administrator.

Escrow Process

  1. Initiation: tiCrypt administrators activate escrow by setting a user's state to Escrow On Login.
  2. Key Decryption: Occurs when a user logs in and their private key is decrypted.
  3. Key Generation: A random AES-256 key is generated for each escrow group.
  4. Master Key Creation: A master AES-256 key is formed by combining all group keys.
  5. Encryption and Storage: The user's private key is encrypted with the master key and stored on tiCrypt's backend.
  6. Key Sharing: Each group key is cryptographically divided among the escrow users within the group and securely stored in the backend.

De-Escrowing

  • Key Recovery: Escrow users retrieve and reconstruct the master AES-256 key by piecing together their respective group keys.
  • Decryption: The master key decrypts the stored user's private key, which is then used to access the encrypted data.

Participation Requirement

At least one member from each escrow group must participate in key recovery to ensure multi-party verification and security.

This structured approach ensures that tiCrypt's key escrow system meets security thresholds, adheres to regulatory compliance requirements, and provides a robust fail-safe for data recovery in extreme scenarios, offering reassurance to users and clients.

Upon account registration, escrow users select an escrow group assigned by the site-key admin. No escrow action can be taken before the escrow user key is activated by the site-key admin.

If even one escrow user from a group is unable or unwilling to participate in key de-escrowing, the lost user's private key cannot be recovered. This highlights the critical role each escrow user plays in ensuring the security and recovery of user data, fostering a sense of responsibility and trust.