Skip to main content

tiCrypt Admin

What is a tiCrypt Administrator?

tiCrypt administrators are the managers of the system and have a minimal role in the escrowing process.

The main actions concerning key escrow performed by tiCrypt administrators are:

  • Control when/if the user's key is escrowed. This is accomplished by setting the user's state to Escrow on Login.
  • Remove existing user key escrows by deleting the encrypted group keys shared with escrow users.
  • Apply signed orders from the site-key administrator.

The administrators can control whether to submit site-key signed orders but cannot change such orders in any way.


Submitting valid but incorrectly signed certificate results in a security violation and is reported in tiCrypt Audit.


The role of the administrators for key de-escrowing is severely limited.

How do tiCrypt admins work?

tiCrypt escrow process is designed to minimize admin power. The admins will only sign the site-key when they receive it. However, they cannot actively create escrow keys for users without the involvement of both the escrow groups and the site-key administrator.

For newly created accounts, admins should allow users to get their keys escrowed in case they lose their private key in the future.


This is the only way a user account can be recovered. If an admin refuses to Change state of the user to Active and Escrow on next login, the escrow recovery key will never be generated in the first place, hence making it impossible to recover the user's account in the future.

Changes User State to Escrow

Set a User Escrow Key

To set an escrow key for a user navigate to the tab along the top of the page.

In the navigation pane, select Users section.
Find and select the user you would like to escrow the key of.
Click the Change State button on the top sidebar.
Select the Active on next login option in the prompted window.
Click on the bottom right to escrow user key on next login.

You can also perform this action by selecting the user, and clicking on Open Overlay on top right panel, then clicking on Active in the left panel and select the option Active and escrow on next login on top right panel, then clicking on .

User Active Escrow

The next time the user will login it will generate an escrow key which will be used in the event of private key recovery in the future.

View Escrow Users

Users with a super-admin role may have permissions to view the escrow users and groups in the management tab.The Escrow Users section provides information on the existing escrow users. Within the Escrow Users tab, only a deletion request can be made.

To view the escrow users, navigate to the tab along the top of the page.

In the navigation pane, select Escrow Users.
View all escrow users in the system.
Viewing Escrow Users

Delete Escrow Users

  • The Create Deletion Request create a deletion request for the selected user.

As explained in section Delete-Escrow-User, only signed orders from the site-key administrator can control the escrow users.

View Escrow Certificates

The only allowed actions are to view the signed orders by clicking on View Certificate JSON in the top right panel and to execute signed certificates. Usually, the signed order provides more details on the action taken due to the signed certificate.

Upload Escrow Certificates

To upload a signed certificate click on Execute Signed Certificates in the top right panel. You will be prompted a window. Click on button and upload the signed certificate then click .


Send the generated .json file to the site-key administrator for counter-signing. Wait for them to sign order as described in the site-key admin escrow groups.

Add Certificate(s) to Users

The site-key administration is performed using signed orders/certificates. For security reasons and separation of responsibilities, the site-key administrator does not have direct access to the system. For orders from the site-key administrator to take effect, they need to be added in the Escrow Certificates section in the left panel in the tab. This section allows the Site-key administrators to sign escrow user certificates.

Signed escrow certificates come from:

  • Site-key administrator when they are signed using the site key. (typical orders are related to escrow user control)
  • Escrow user when they are signed with the key of a specific user.

Navigate to the tab along the top of the page.
In the navigation pane, select Users
Find and select the user you would like to edit.
Click the Certifications button on the top sidebar.
Choose a requirement for the certification.
Choose an expiration date for the certification.
Select if you want to skip the certification expiration date or re-update it once it expires.
Click the to certify the user.

You can only select one requirement per certification.


You can also access certifications by selecting the user, and clicking on Open Overlay on top right panel, then clicking on Member Certifications in the left panel.

Adding a certificate