Skip to main content

Escrow Users

Escrow Users Overview

Escrow Users are not typical users of the system. Escrow users are assigned an Escrow role by the Site key admin and each belongs to an Escrow Group.

  • When you create an escrow account, you do not create a tiCrypt account; instead, you generate a particular order that a site-key admin has to sign to certify it so you can be added to the escrow group which allows you to escrow keys for other users.
  • Before the site-admin signs your order your escrow user key is useless, after signing it your key will be active.

Escrow groups are groups of escrow users whose sole purpose is to recover lost private keys in an isolated secured environment. The escrow process requires a large chain of trust shared among multiple escrow users.

Escrow users' abilities:

  • Get information on available key escrows for each tiCrypt user.
  • Share your group key with other escrow group members (This is required if new escrow users are added to an escrow group).
  • Share your group key with a designated escrow user that will recover a given tiCrypt user key.
  • Recover a tiCrypt user's key (if they obtained the required group keys for all the groups).

Unless a group key is shared with a specific escrow user, the key cannot be recovered by the escrow user. The simple act of belonging to an escrow group is insufficient. If multi-factor authentication is enabled, the recovered user private key can only be used if the multi-factors are satisfied.

  • Your newly generated escrow user key does not grant you any permissions unless counter-signed by the site-key administrator.
  • It is pointless to wait for a private key recovery from the system if the key has never been set on Active escrow on next login by a tiCrypt admin before.

To re-establish user access, the tiCrypt user must be physically present during the key recovery process so that the recovered key can be protected by a password only known to the tiCrypt user.

Create an Escrow User Account

1.First (Escrow Users Only):

The escrow user must communicate with the site-key admin to determine which escrow group they will be a part of.

To create a new escrow user account navigate to tiCrypt Connect desktop application and launch the application in your browser.

  • In the login page click the dropdown button in the top right center.
  • Select option.
  • Click green button.

In Step your private keys are generated.

In Step you register your profile details.

  • Select your designated escrow group.
  • Type your first, last name and email.
  • Optionally, type your department and position.
  • Type your encrypted private key password.
  • Re-type your encrypted private key password.
  • Click Register.

In Step your private key is downloaded.

  • View the .json file of your private key. Store it on a USB on you or in a safe computer solely accessed by you. Do not edit it. Please do not share it with anyone.
  • Optionally, click Redownload private key button in the bottom left.
  • Click .
  • Your .json escrow profile file is downloaded.
  • Do not login yet.
  • Email your public key to the site-key admin.
  • The user cannot proceed until both file keys are fully generated.
  • The user may choose to download keys with the default name or give each key a custom name.

2. Second (Site-key admins only):

  • In the escrow dashboard, create the request for the escrow user.

  • Sign the newly created request.

  • Drag-and-drop the escrow user's public key into your site-key dashboard.

  • Tick the Sign box.

  • Type your password.

  • Download the signed request.

  • Send the signed request to a super-admin.

3. Third (Super admins only):

To execute the signed request navigate to tab in the Escrow Certificates section.

  • Click Execute signed certificates button in the top right.

  • In the prompt, click .

  • In the prompt, find and select the signed request from site-key admin.

  • Click .

  • Click .

Now the escrow user is active and part of the escrow group that can escrow keys.

Change the Password of the Escrow User

To change your escrow user password login to your escrow user account.

  • In the top right menu, select change password option.
  • In the prompt, type your current password.
  • Type your new password twice.
  • Click .

You will be prompted to log out. Your new key will be downloaded. Use your new key to log in next time.


Changing the password twice quickly will force the system to request a stronger password.