Skip to main content

tiCrypt Admins

tiCrypt Administrator Overview

tiCrypt administrators are the managers of the system and have a minimal role in the escrowing process.

The main actions concerning key escrow performed by tiCrypt administrators are:

  • Control when/if the user's key is escrowed. This action is accomplished by setting the user's state to Escrow on next Login.
  • Read escrow certificates of existing users by Viewing their certificates in JSON format.
  • Remove existing user key escrows by Requesting deletion of the encrypted group keys shared with escrow users.
  • Apply signed orders by Executing certificates from the site-key administrator.

The administrators can control submission of site-key signed orders but cannot change such orders.


Submitting valid but incorrectly signed certificates results in a security violation and is reported in tiCrypt Audit.


The role of the administrators for key de-escrowing is severely limited.

Set up a User Escrow Key

tiCrypt escrow process is designed to minimize admin power. The admins will only sign the site key when they receive it. However, they cannot actively create escrow keys for users without the involvement of both the escrow groups and the site-key administrator.

To set an escrow key for a user navigate to the tab in the Users section.

  • Select the user you want to escrow the key for.
  • Click the Change State button in the top right.
  • In the prompt, select the Active on next login option.
  • Click .

The escrow key for the user will show up in the escrow group interface, which is separated from the tiCrypt main system. The generated escrow key will be used in the event of private key recovery in the future and is now the escrow group and site-key admin responsibility.


If an admin refuses to Change state of the user to Active and Escrow on next login, the escrow recovery key will never be generated in the first place, hence making it impossible to recover the user's account in the future.

You can also perform this action by selecting the user, and clicking on Open Overlay in the top right panel, then clicking on Active in the left panel and selecting the option Active and escrow on next login in the prompt, then clicking on .

When an admin selects Escrow on Next login:

  • The backend triggers the message "you can only perform one action now which is escrowing the key." to frontend automatically.
  • The frontend escrows the key in milliseconds.
  • The user does not have to do anything except to login into the system.

Neither the site-admin nor escrow users can sign keys alone. They must collaborate to sign them together.


For newly created accounts, you should allow all users to get their keys escrowed if they lose their private key in the future.


To learn more about changing user state to escrow on the next login, please read the Admin Management- Change User State section.

View Escrow Users

To view the escrow users, navigate to the tab in the Escrow Users section.

  • View all existing escrow users in the system.
  • Only Super-admins can view this management section.
  • In this section, only deletion requests can be made.

Delete Escrow Users

1.First (Super admins only):

To delete an escrow user from the system navigate to the tab in the Escrow Users section.

  • Select the escrow user you would like to delete.
  • Click the Create deletion request button in the top right.
  • View the downloaded request file in your local machine.
  • Email the request file to the site-key admin.

2. Second (Site-key admin only):

  • Log in to the site-key interface.
  • Click the button in the top left card.
  • In the prompt, select the received request file from super-admin.
  • Click .
  • Tick the Sign box.
  • Type your password in the top right panel.
  • Click .
  • Email the signed request file back to the super-admin.

3. Third (Super admins only):

To execute the request file navigate to tab in the Escrow Certificates section.

  • Click the Execute Signed Certificates button in the top right.
  • In the prompt, click .
  • In the prompt, find and select the request file from site-key admin.
  • Click .
  • Click .
Now, the escrow user is deleted and can no longer log in.
  • In the backend the signed document simply says that "this is an order to remove an escrow user."
  • The site-key admin must communicate with the super admin about adding or removing an escrow user at all times.
  • Only signed orders from the site-key admin can control the escrow users.

View Escrow Certificates

The only action in this section is viewing the signed orders.

To view the signed orders navigate to tab in the Escrow Certificates section.

  • Select the escrow certificate you would like to view.
  • Click View Certificate JSON in the top right.
  • In the prompt, view the certificate in JSON format.
  • Click .

Upload Escrow Certificates

Before uploading an escrow certificate, send the generated .json file to the site-key administrator for counter-signing. Wait for them to sign the order as described in the site-key admin escrow groups. To upload a signed certificate navigate to tab in the Escrow Certificates section.

  • Click the Execute Signed Certificates button in the top right.
  • In the prompt, click .
  • In the prompt, find and select the signed certificate from site-key admin.
  • Click .
  • Click .