tiCrypt Admin
What is a tiCrypt Administrator?
tiCrypt administrators are the managers of the system and have a minimal role in the escrowing process.
The main actions concerning key escrow performed by tiCrypt administrators are:
- Control when/if the user's key is escrowed. This is accomplished by setting the user's state to Escrow on Login.
- Remove existing user key escrows by deleting the encrypted group keys shared with escrow users.
- Apply signed orders from the site-key administrator.
The administrators can control whether to submit site-key signed orders but cannot change such orders in any way.
Submitting valid but incorrectly signed certificate results in a security violation and is reported in tiCrypt Audit.
The role of the administrators for key de-escrowing is severely limited.
How do tiCrypt admins work?
tiCrypt escrow process is designed to minimize admin power. The admins will only sign the site-key when they receive it. However, they cannot actively create escrow keys for users without the involvement of both the escrow groups and the site-key administrator.
For newly created accounts, admins should allow users to get their keys escrowed in case they lose their private key in the future.
This is the only way a user account can be recovered. If an admin refuses to Change state of the user to Active and Escrow on next login, the escrow recovery key will never be generated in the first place, hence making it impossible to recover the user's account in the future.
Set a User Escrow Key
To set an escrow key for a user navigate to the tab along the top of the page.
You can also perform this action by selecting the user, and clicking on Open Overlay on top right panel, then clicking on Active in the left panel and select the option Active and escrow on next login on top right panel, then clicking on .
The next time the user will login it will generate an escrow key which will be used in the event of private key recovery in the future.
View Escrow Users
Users with a super-admin role may have permissions to view the escrow users and groups in the management tab.The Escrow Users section provides information on the existing escrow users. Within the Escrow Users tab, only a deletion request can be made.
To view the escrow users, navigate to the tab along the top of the page.
Delete Escrow Users
- The
Create Deletion Requestcreate a deletion request for the selected user.
As explained in section Delete-Escrow-User, only signed orders from the site-key administrator can control the escrow users.
View Escrow Certificates
The only allowed actions are to view the signed orders by clicking on View Certificate JSON in the top right panel and to execute signed certificates. Usually, the signed order provides more details on the action taken due to the signed certificate.
Upload Escrow Certificates
To upload a signed certificate click on Execute Signed Certificates in the top right panel. You will be prompted a window. Click on button and upload the signed certificate then click .
Send the generated .json file to the site-key administrator for counter-signing. Wait for them to sign order as described in the site-key admin escrow groups.
Add Certificate(s) to Users
The site-key administration is performed using signed orders/certificates. For security reasons and separation of responsibilities, the site-key administrator does not have direct access to the system. For orders from the site-key administrator to take effect, they need to be added in the Escrow Certificates section in the left panel in the tab. This section allows the Site-key administrators to sign escrow user certificates.
Signed escrow certificates come from:
- Site-key administrator when they are signed using the site key. (typical orders are related to escrow user control)
- Escrow user when they are signed with the key of a specific user.
You can only select one requirement per certification.
You can also access certifications by selecting the user, and clicking on Open Overlay on top right panel, then clicking on Member Certifications in the left panel.