Site-key Admin
Site-key Administrator Overview
The Site-key admin is a selected individual responsible for the site-key and private key recoveries.
The Site-key administrator is:
- A Remote individual who can add or remove escrow users and escrow groups.
- Completely separated from the system, both front-end and back-end-wise.
- Does not require any backend access.
- Cannot give the site-key to the system.
- Not one that is involved and uses tiCrypt the way a user, admin, or super admin does.
The Site-key administrators' activities are:
- Guard the site-key.
- Create and delete escrow groups.
- Add and remove escrow users.
- Receive key orders and sign them via digital signature.
There is a single site-key admin in every system. If the site-key admin leaves the organization, a new set of site keys is produced.
Site-Keys
A Site-key is a unique private key used for very specific scenarios involving escrow users.
The Site-Key is:
- Received and counter-signed by Tera Insights LLC.
- Fully dissociated from the backend.
- Can be shared only via super-admin collaboration.
- Only used to sign digital orders that indicate escrow users and group administration.
- Once signed it is safely emailed or transferred via thumb drives to the tiCrypt super-administrator.
The system does not know where the site key resides.
The site key and private key must be guarded carefully because they can escrow other users' keys.
- Escrow orders are received from admins.
- Escrow deletion requests are received from super-admins.
- The super-admin decides whether or not to accept the escrow orders.
If the site key is compromised, the security of the user's keys can be compromised.
- Site-key actions do not take effect until a tiCrypt administrator adds them to the system using the certificates interface.
- It is highly recommended that Internet access is disabled during site-key activities.
- The digital signatures can be transferred via thumb drives.
Create and Activate Site-key
To create a Site-key navigate to tiCrypt Connect
desktop application in your browser.
- In the login page click the dropdown button in the top right center.
- Select option.
- Click green button.
In Step
your site-keys are generated.
In Step
you confirm your registration.
- Type a preferred private key password.
- Re-type the private key password.
- Click
Register
.
In Step
your site keys
are downloaded.
- View the
prv.json
andpub.json
files of yoursite key
. Store it on a USB on you or in a safe computer solely accessed by you. Do not edit it. Please do not share it with anyone. - Optionally, click
Redownload public/private key
button in the bottom left. - Click .
- Email your public key
prv.json
file to Tera Insights LLC for counter-signing.
The private key
pub.json
file must be protected at all costs and must never be shared.
You may prefer to download the public/private key files with the default name or give each of them a custom name.
The generated public key prv.json
file is inactive until counter-signed by Terra Insights.
Once counter-signed, log in with your private key
pub.json
.
- In the login page click the dropdown button in the top right center.
- Select option.
- Click button in the center.
- In the prompt, select your private key
private key
pub.json
file. - Click .
You are now logged into the Escrow Management page.
Create Escrow Groups
1. First (Site-key admin only):
To create an escrow group navigate to tiCrypt Connect
desktop application in your browser.
- In the login page click the dropdown button in the top right center.
- Select option.
- Click button in the center.
- In the prompt, select your public key
public key
prv.json
file. - Click .
- In the top left card, click .
- In the prompt, type a name for your escrow group.
- Click .
- In the top left group card, tick the
Sign
box on the bottom right. - Type your password in the top right corner.
- Verify your group certificate is removal under Singned Certificates column.
- Click in the top right.
- Click to download the group certificate.
- Email the downloaded export file to a super-admin.
2. Second (Super-admins only):
To execute a signed escrow group navigate to tab in the Escrow Certificates
section.
- Follow the instructions from the upload escrow certificates section.
If the user wants to edit the request, they can do so by clicking the blue button located at the bottom left of the request. If the user would like to completely delete the request, they can do so by clicking the red button.
Add Escrow Certificate(s) to Users
The site-key administration is performed using signed orders/certificates.
For security reasons and separation of duties, the site-key administrator does not have direct access to the system.
For orders from the site-key administrator to take effect, they must be added by a super-admin in the tab in the Escrow Certificates
section.
This section allows the Site-key administrators to sign escrow user certificates.
Signed escrow certificates come from:
- Site-key administrator when they are signed using the site key. (typical orders are related to escrow user control)
- Escrow users when they are signed with the key of a specific user.
Reassign the Site-key
It is not expected nor encouraged to change the site-key admin unless the site-key password is lost. If necessary, a user must go through the same steps they take to register a new site key. They must send the public key
part of their site key to Tera Insights so we can sign off on it.
Both super-admins and the site-key admins must:
- Pay attention to who comes in for a digital signature (The whole signing process is conducted offline within an isolated secured environment).
- Control who can be an escrow user.
- Work together with the escrow group to recover a users' private key.