Skip to main content

Escrow Users

What are Escrow Users?

Escrow Users are not typical users of the system. Escrow users are assigned an "Escrow role" by the site key user. For more information, please visit the Escrow Groups.

Upon activating users in the system, admins must select a checkbox indicating "escrow user's key" or "do not escrow". This essentially means that if the user loses their private key it was escrowed, and it can be recovered. If the user's key was not escrowed and they lose it, they cannot recover it.


Admins can change the escrow state of users at any point. If a user lost a key and then the user escrows, that will not help to recover the key. The user must log in using their private key for the backend to receive pieces of the key.

Specifically, escrow users can:

  • Get information of available key escrows for each tiCrypt user.
  • Share their group key with other group members. This is required if new escrow users are added to an escrow group
  • Share their group key with a designated escrow user that will recover a given tiCrypt user key
  • Recover a tiCrypt user's key (if they obtained the required group keys for all the groups)

Unless a group key is shared with a specific escrow user, the key cannot be recovered by the escrow user. The simple act of belonging to an escrow group is not sufficient.


The simple act of generating an escrow user key does not grant any permissions in tiCrypt. Unless the escrow user key is counter-signed by the site-key administrator, the escrow users are not recognized by tiCrypt.


If multi-factor authentication is enabled, the recovered user private key can only be used if the multi-factors are satisfied.


If the purpose of the key recovery is to re-establish user access, have the tiCrypt user be present during the key recovery process so that the recovered key can be protected by a password only known to the tiCrypt user.

How do Escrow Users work?

Every user in tiCrypt has a private and public key. Public keys can and should be shared with other users as there is no risk in sharing a public key. There is, however, a huge risk in sharing a private key.

To explain why escrow works the way it does, it is common to explain it using the following story.

You live in your house.

You want to give other people the key to your house in case you ever lose your own key. But you do not want anyone to be able to get into your house if you're not there.

You can give a key to a friend, but they can still go behind your back and enter your house. The same goes with your family. You think about giving half of one key to one of your friends, and the other half of the key to another friend. This could work, but what if the two friends collaborate, put the keys together, and enter the house.

This solution does not suffice.

You cannot issue the pieces of the key to people that are related/ know eachother. Hence, you give 1/3 of the key to a member of your family, 1/3 f the key to one of your friends, and 1/3 of the key to a coworker. None of the people in the 3 groups know each other nor do they know who holds the other parts of the key. This solution works. And the more pieces of the key that the owner of the house issues out, the more secure their house will be.

The way that Escrow works in tiCrypt is the same.

We enforce a minimum of three escrow groups, yet we encourage more. Each time a user's key is escrowed, the backend receives "pieces" of it. If the user ever loses their private key, one member from each escrow group must get and put the pieces together.

This solution ensures that no single individual can obtain another user's private key.

How to create an Escrow User

To create a new escrow user:

  1. The User must communicate with the Site-key admin to determine which escrow group they will be a part of.
  2. Instructed to a group by the admin; the user should navigate to the Escrow interface. They can do so by selecting the dropdown located at the top right side of the login box as seen in the video below.
  3. Once a user navigates to the correct interface, they can register by selecting the green button.
  4. By clicking a pair of public and private keys will be generated for the user.

    The user cannot proceed until the keys are fully generated.

  5. Next, the user selects their escrow group, their credentials, and a password.
  6. Finally, the user is directed to download and save both their private and public keys. At this step, there is a default name for both the public and private keys.

The user may choose to download keys with the default name or give each of their keys a name.

Create Escrow User
  1. The escrow user must then email their public key to the site-key admin so they can create the request for the escrow user and sign it.

  2. The site-key admin will drag the escrow user's public key into the dashboard of the site-key interface dashboard.

  3. They will click the check box, sign it using their password, and download the signed request.

  4. Now the escrow user is active and part of the escrow group that can escrow keys.

How to delete an Escrow User

To delete an escrow user from the system:

  1. The super-admin must navigate to the Escrow Users in the tab.

  2. They must select the specified escrow user then click the Create deletion request button located in the top right panel.

  3. A request file will immediately begin to download. The super-admin must email this file to the site-key admin.

Create Escrow User Deletion Request
  1. The site-key admin must log in to the site-key interface and drag the file that was sent to them by the super-admin into the dashboard.

  2. Next, the site-key admin must select it, sign it by putting it their password, and export the signed certificate.

  3. The site-key admin must send this signed certificate back to the super-admin so that the super-admin can upload the certificate into Signed Escrow Actions located in the tab.

  4. From there, the user must select the Plus icon located at the top right side of the screen and drag in the request file that was emailed to them by the site-key admin.

  5. Once dropped, the super admin must sign by checking the Sign box, and then clicking .