Skip to main content

Site-key Admin

Site-key Administrator Overview

The Site-key admin is a selected individual responsible for the site-key and private key recoveries.

The Site-key administrator is:

  • A Remote individual who can add or remove escrow users and escrow groups.
  • Completely separated from the system, both front-end and back-end-wise.
  • Does not require any backend access.
  • Cannot give the site-key to the system.
  • Not one that is involved and uses tiCrypt the way a user, admin, or super admin does.

The Site-key administrators' activities are:

  • Guard the site-key.
  • Create and delete escrow groups.
  • Add and remove escrow users.
  • Receive key orders and sign them via digital signature.

There is a single site-key admin in every system. If the site-key admin leaves the organization, a new set of site keys is produced.


A Site-key is a unique private key used for very specific scenarios involving escrow users.

The Site-Key is:

  • Received and counter-signed by Tera Insights LLC.
  • Fully dissociated from the backend.
  • Can be shared only via super-admin collaboration.
  • Only used to sign digital orders that indicate escrow users and group administration.
  • Once signed it is safely emailed or transferred via thumb drives to the tiCrypt super-administrator.

The system does not know where the site key resides.

The site key and private key must be guarded carefully because they can escrow other users' keys.

  • Escrow orders are received from admins.
  • Escrow deletion requests are received from super-admins.
  • The super-admin decides whether or not to accept the escrow orders.

If the site key is compromised, the security of the user's keys can be compromised.

  • Site-key actions do not take effect until a tiCrypt administrator adds them to the system using the certificates interface.
  • It is highly recommended that Internet access is disabled during site-key activities.
  • The digital signatures can be transferred via thumb drives.

Create and Activate Site-key

To create a Site-key navigate to tiCrypt Connect desktop application in your browser.

  • In the login page click the dropdown button in the top right center.
  • Select option.
  • Click green button.

In Step your site-keys are generated.

In Step you confirm your registration.

  • Type a preferred private key password.
  • Re-type the private key password.
  • Click Register.

In Step your site keys are downloaded.

  • View the prv.json and pub.json files of your site key. Store it on a USB on you or in a safe computer solely accessed by you. Do not edit it. Please do not share it with anyone.
  • Optionally, click Redownload public/private key button in the bottom left.
  • Click .
  • Email your public key prv.json file to Tera Insights LLC for counter-signing.

The private key pub.json file must be protected at all costs and must never be shared.


You may prefer to download the public/private key files with the default name or give each of them a custom name.


The generated public key prv.json file is inactive until counter-signed by Terra Insights.

Register as a Site-Key User

Once counter-signed, log in with your private key pub.json.

  • In the login page click the dropdown button in the top right center.
  • Select option.
  • Click button in the center.
  • In the prompt, select your private key private key pub.json file.
  • Click .

You are now logged into the Escrow Management page.

Login as a Site-Key User

Create Escrow Groups

1. First (Site-key admin only):

To create an escrow group navigate to tiCrypt Connect desktop application in your browser.

  • In the login page click the dropdown button in the top right center.
  • Select option.
  • Click button in the center.
  • In the prompt, select your public key public key prv.json file.
  • Click .
  • In the top left card, click .
  • In the prompt, type a name for your escrow group.
  • Click .
  • In the top left group card, tick the Sign box on the bottom right.
  • Type your password in the top right corner.
  • Verify your group certificate is removal under Singned Certificates column.
  • Click in the top right.
  • Click to download the group certificate.
  • Email the downloaded export file to a super-admin.
Create Escrow Group

2. Second (Super-admins only):

To execute a signed escrow group navigate to tab in the Escrow Certificates section.

If the user wants to edit the request, they can do so by clicking the blue button located at the bottom left of the request. If the user would like to completely delete the request, they can do so by clicking the red button.

Execute Signed Certificates

Add Escrow Certificate(s) to Users

The site-key administration is performed using signed orders/certificates.

For security reasons and separation of duties, the site-key administrator does not have direct access to the system. For orders from the site-key administrator to take effect, they must be added by a super-admin in the tab in the Escrow Certificates section. This section allows the Site-key administrators to sign escrow user certificates.

Signed escrow certificates come from:

  • Site-key administrator when they are signed using the site key. (typical orders are related to escrow user control)
  • Escrow users when they are signed with the key of a specific user.

Reassign the Site-key

It is not expected nor encouraged to change the site-key admin unless the site-key password is lost. If necessary, a user must go through the same steps they take to register a new site key. They must send the public key part of their site key to Tera Insights so we can sign off on it.

Both super-admins and the site-key admins must:

  • Pay attention to who comes in for a digital signature (The whole signing process is conducted offline within an isolated secured environment).
  • Control who can be an escrow user.
  • Work together with the escrow group to recover a users' private key.