Escrow Users Role in Key Escrow
Escrow Users play a critical role in the de-escrowing activities and the overall maintenance of the escrow system within tiCrypt. Their responsibilities are specifically designed to ensure secure and controlled access to encrypted user data.
Key Functions of Escrow Users:
- Monitoring Escrow Status: Escrow users can access details about the available key escrows for each tiCrypt user, ensuring they are kept up-to-date on the status of key management.
- Key Sharing Among Group Members: They are responsible for sharing their group key with other members within the same escrow group, a necessary step particularly when new escrow users are integrated into the group.
- Key Recovery Assistance: Escrow users can share their group key with a designated escrow user tasked with recovering a specific tiCrypt user's key, provided they have acquired the necessary keys from all related groups.
Important Considerations:
- Key Recovery Conditions: A group key can only be recovered by an escrow user if it is explicitly shared with them. Merely being a member of an escrow group is insufficient for key recovery.
- Escrow User Key Authorization: Generating an escrow user key does not automatically confer permissions within tiCrypt. For an escrow user key to be recognized, it must be counter-signed by the site-key administrator.
- Multi-factor Authentication (MFA): If enabled, the use of a recovered user private key is contingent upon satisfying the multi-factor authentication requirements.
Steps to Create an Escrow User Account
Step 1: Escrow User Action
The escrow user must first communicate with the site-key admin to determine their escrow group.
To create a new escrow user account, navigate to the tiCrypt Connect
desktop application and launch it in your browser.
- On the login page, click the dropdown in the top right center.
- Select .
- Click green button.
Registration Steps:
Step 1: Your private keys are generated.
Step 2: Register your profile details:
- Select your designated escrow group.
- Type your first, last name, and email.
- Optionally, type your department and position.
- Type and re-type your encrypted private key password.
- Click
Register
.
Step 3: Download your private key:
- View the
.json
file of your private key. Store it securely and do not share it. - Optionally, click
Redownload private key
. - Click .
- Download your
.json escrow profile
file but do not log in yet. - Email your public key to the site-key admin.
- View the
The user cannot proceed until both keys are fully generated. Users may choose to download keys with the default name or give each key a custom name.
Step 2: Site Key Administrator Action
- In the escrow dashboard, create and sign the request for the escrow user.
- Drag-and-drop the escrow user's public key into your site-key dashboard.
- Tick the
Sign
box. - Type your password and download the signed request.
- Send the signed request to a super-admin.
Step 3: tiCrypt System Admin Action
To execute the signed request, navigate to the tab in the Escrow Certificates
section:
- Click
Execute signed certificates
. - Select the signed request file and click .
- Apply the certificate to activate the escrow user.
Change the Password of the Escrow User
To change your escrow user password, login to your account:
- Select
Change password
. - Type your current password and new password twice.
- Click .
You will be prompted to log out and your new key will be downloaded. Use this new key to log in next time.