Introduction

tiCrypt is a NIST 800-171 and CMMC 2.0 compliant research enclave.

Who should use tiCrypt

Universities and Research Institutions

• For secure collaboration on federally regulated or sensitive research (CUI, HIPAA, ITAR, DFARS, NIH, DoD, NSF, etc.).

Researchers Handling Controlled Data

• For projects that require compliance with NIST 800-171, CMMC 2.0 Level 2, or FISMA Moderate standards.

IT and Research Computing Teams

• For managing high-performance computing (HPC) or virtualization environments with strict data isolation and access control.

Principal Investigators and Lab Managers

• For securely storing, analyzing, and sharing research data without sacrificing usability or speed.

Compliance and Security Officers

• For maintaining verifiable audit trails, encryption at rest and in use, and full key ownership.

University Legal and Contracts Offices

• For ensuring data protection clauses, federal compliance, and institutional oversight are technically enforced.

Industry and Government Partners

• For secure, collaborative environments across institutional boundaries with cryptographic separation of duties.

tiCrypt Principles

Security First

• tiCrypt security is a one-piece architecture with all its components working as one. Data is protected through enforced cryptographic isolation, and users authenticate using private and public keys instead of passwords. Each resource is independently protected.

Separation of Duties

• In tiCrypt, admin power is decentralized across the system to prevent the risk of social engineering attacks. Admins set security mechanisms and monitor system usage, while users retain control over their own data. Access control and end-to-end encryption are enforced together, with an additional security layer of two-factor authentication (2FA).

Mechanism over Policy

• tiCrypt prioritizes user behaviour enforcement through system mechanisms rather than relying on written policies. Mechanisms are built to automatically prevent improper user actions and minimize human error.

Diverse Research Workflows

• tiCrypt supports workflows with Windows,Linux OS, AI workloads with GPU support, and compatibility with various hardware devices. Deployment options include on-premises, bare-metal servers, public cloud platforms (AWS, Azure, Google Cloud), hyper-converged solutions (Nutanix, RedHat), and hybrid models combining on-premises and cloud resources. tiCrypt can utilize VM hosts from both cloud environments and high-performance computing clusters, and integrates with SLURM, Duo, Shibboleth, firewalls, and VPNs.

Detailed Auditing

• tiCrypt features an audit system that generates detailed reports, maintains a complete audit trail, and preserves logs for the entire system history. Auditing meets compliance requirements for complex projects and is designed to satisfy the strict standards of public institutions. Reports support data behavior analysis and prediction.

System Architecture

Mechanism

• tiCrypt operates with a default-shut security model—everything is blocked unless explicitly allowed. While most quantum computers can process 2²⁵ possibilities, breaking into tiCrypt would require 2²⁵⁶ attempts per private key—offering security comparable to Bitcoin.
• Each user logs into tiCrypt using a private-public key pair stored locally on their browser and machine, with a digital signature recognized by the system for authentication. Account recovery is handled through an offline key escrow process.

Compliance

The tiCrypt whitepaper provides a detailed explanation of how tiCrypt achieves compliance.

• The tiCrypt Security Landscape.
  • Data Confinement.
  • Public Key Cryptography.
• The Chain of Trust.
• Infrastructure Requirements and REST Service.
  • Additional Defense Mechanisms.
  • Examples of tiCrypt Threat Model & Solutions.
• Auditing Events.

Updates

• tiCrypt is a fast-paced evolving product with new versions coming up every few days.
• Updates are performed automatically, new features and user requests are introduced in documentation weekly.

How to Read tiCrypt Documentation

Prerequisites

• Include access level for an action, some actions can be performed by user roles while others can be performed only by admin roles.
• Include required permissions to perform the specific action.

Example of Prerequisites

Access Level:User, Sub-admin

Permission Requirements

• View own teams
• Edit own teams

Legends

• For some sections, the legends explain terms and symbols for certain actions.

Example of Legend

• VMs= Virtual Machines Table Overview.
• Running = the Virtual Machine is connected and running normally.
• Not Running = the Virtual Machine has an error and cannot run.

Admonitions

• Each action ussually includes an admonition as shown below.

note

Provides additional context or related information about the action.

info

Highlights important details or facts about the action.

tip

Provides practical advice to help you perform an action more effectively.

caution

Warns about potential issues or risks if the action is not performed correctly.

danger

Alerts you to serious risks or immediate dangers associated with the action.

Confirmations, Errors and Solutions

• Most actions generate notifications for confirmations, errors, and warnings.
  This section explains how to resolve errors related to each action.

Example of Confirmations, Errors and Solutions

• Confirmations:Directory your-directory-name created successfully.
• Errors:You do not have permission to make a new directory.
• Solutions:Ask your admin to activate your Create directories permission.
• Warnings:Not enough disk space to copy your-file-name.file-format when performing the transfer from your Mac to your VM.

Action Steps

• Each action includes numbered steps and symbols corresponding to the product UI.

Example of Actions Steps: Create a New Directory

1. Go to the Vault icon in the top left panel.
2. Click the My files section on the left panel.
3. Click the New Directory button in the top center panel.
4. In the prompt, enter the new directory name.
5. Click Create directory.

Action Tags

• Actions may include tags which will show up under action titles before the action steps.

Example of Action Tag

bulk-action: this action can be performed at scale.

Get Started with tiCrypt

1. Installation

• Connect Application Install
• Remote File System Install

2. Account Registration

• Register Site-key Admin Account
• Register Escrow User Account
• Register User Account

3. My First tiCrypt Account

• Account Menu

tiCrypt Functionality

Sections

• Sections are spread into three tabs in tiCrypt menu.
  • Vault: where your data resides.
  • Virtual Machines: where you access your remote virtual desktop.
  • Management: where admins control the system.

Dictionary

• Terminology includes the explained tiCrypt wording and terms. Use this to search for keywords you do not immediately understand.

Data Filters

• Filters make your navigation easy in the Management tab specifically. Use this as an admin.
• Exports & Refresh focus on handling data out of tiCrypt for very specific scenarios.

Permissions

• Permissions control every action of a user in the system. Permissions are run by admins.

Elements

• Elements are the symbols and icons of the product. Elements are user intuitive and easy to remember. Most users learn the elements while using the product. If you are a beginner you can pin elements in each menu.

User Roles

• User roles are sets of permissions stacked into a role.
• tiCrypt applies one of the following roles to each user:
  • User: performs research and uses virtual machines.
  • Sub-admin: runs teams and projects.
  • Admin: controls the user management and larger operations.
  • Super-admin: controls the relation to backend and system settings.
  • Escrow User: helps users to recover their lost private keys.
  • Site-key Admin: performs digital signatures as part of private key recovery.

Using tiCrypt Vault

tiCrypt is easy to use. You have three panels as a user:

• Left panel: where your file directories show up.
• Middle panel: where your vault files are located.
• Right panel: where your co-worker users, groups and projects show up.

File Index

Action Link	Description
Create Directories	Learn how to make new folders to organize your work.
Upload	Bring data into tiCrypt securely.
Download	Download data from tiCrypt locally.
Transfer	Learn how to transfer files from cloud, SFTP and locally into tiCrypt.
View	View a large variety of file formats in your vault.
Share	Share and receive files from other tiCrypt users and admins, create file restrictions and access levels.
Rename	Rename file names for better management.
Change Project	Tag your files with projects to restrict them.
View History	View full file history for audit purposes.
Compute Disk Usage	Find out the exact space on disk for files and compute hashes.
Delete	Delete files that are obsolete.
Inboxes	Use inboxes to receive data from outside sources.

Vault Index

Action Link	Description
Users	Meet your co-workers in one place.
Groups	Create groups to organize research topics.
Projects	Run projects to isolate collective data.

Using tiCrypt Virtual Machines

Vault Index

Action	Description
Virtual Machines	Start your research via secured virtual desktop machines.
Drives	Store all your research on encrypted drives attached to your virtual machines.
Terminals	Run commands at scale from your virtual machine's terminals.

tiCrypt from an Admin Perspective

If you are an admin in tiCrypt, you will primarily use the Management tab to oversee system operations and manage user settings. However, you do not have access to user data unless the user explicitly grants you access.

Users Management Index

Action Link	Description
Users	Meet your co-workers in one place.
Deleted Users	View and restore deleted users in the system.
Sub-admin Managed Objects	Create groups to organize research topics.
Users Profiles	Run projects to isolate collective data.
Onboard	Onboard and update large groups of users at scale.
Resources by User	View and control resources for each user in the system.
Groups	Manage all groups in the system.
Teams	Create and manage teams of users.
Team Memberships	View team memberships of each user.
Security Requirements	Build security requirements for projects at scale.
Security Levels	Wrap security requirements into security levels at scale.
Projects	Manage all system projects in one place.
Project Memberships	Monitor project memberships for all users.
User Certifications	Certify users for project security levels.
Resources by Project	View individual resources per project.

VM Management Index

Action Link	Description
Realms	View Libvirt and Nutanix configuration realms.
Libvirt Hosts	Set state and utilization of host registered in the realm.
Hardware Profiles	Create and manage hardware profiles within the host space.
Libvirt Storage Pools	Create and maintain Libvirt storage pools for drives, hardware setups, images, ISOs and others.
Libvirt Volumes	View and analyze existing Libvirt volumes with allocated spaces.
VM Images	Create and setup VM images in Linux, Windows and other parameters.
VM Hardware Setups	Create VM hardware setups to be able to create run VM configurations.
VM Configurations	Create and manage VM configurations for users where all the research is performed securely.
Running VMs	View and control the states of running VMs in the system.
Past VMs	Audit the past VMs and view their backend logs.
Service VMs	Create service VMs as part of the VM controller ecosystem that manages multiple VMs at scale.
Drives	Build and manage encrypted drives to store data of the existing VMs and the research work.
Devices	Create and tag devices for esotheric video CPUs that require simulations at scale.
NFS Mounts	Build and manage NFS drives to serve the backend server NFS in Windows VMs.
ISO Images	Upload and maintain ISO images into the system to use readers and tokens.
Licensing Servers	Use licencing servers in TCP or UDP to run smoothly on specific domains or IPv4 addresses.

Slurm Manager Index

Action Link	Description
Slurm Configuration	View SLURM configuration from the front-end.
Slurm Diagnostics	View SLURM diagnostics from the front-end.
Nodes	View the SLURM nodes for debug from the front-end.
Jobs	View live SLURM jobs from the front-end.

Escrow Management Index

Action Link	Description
Escrow Users	Set up escrow users to recover lost user's private keys in a traditional way.
Escrow Certificates	Sign and send escrow certificates to site-key admin for counter-signature operations.
Escrow Groups	Organize offline individual groups to manage escrow recovery securely and efficiently.

Settings Index

Action Link	Description
System Services History	Move back in time to view each system change.
System Settings	Update the UX and UI of the system from a single menu.
Custom Fields	Create and manage teams and project custom fields to fullfill the institution needs.

Miscellaneous Management Index

Action Link	Description
System Services	View the running backend system services in one place.
Audit Logs	Check the audit at any point in time for any user, group, team, project or VM infrastructure.
API Keys	Create and integrate API Keys into tiCrypt.
External SFTP Servers	Access external SFTP servers.

System Admin Backend Breakdown

Each backend command includes an explanatory table with the following columns.

Parameter

• The dependencies required for the command to run.

Type

• Specifies the type of parameter, such as string, port, or number.

Required

• Indicates whether the parameters are required for the command to execute.

Description

• Exaplanation of the parameter.

tiCrypt Backend Index

Action Link	Description
Installation	Install tiCrypt as an admin.
Audit	Install, setup, configure and update the system audit from the backend; use token-based REST API.
Backend	Maintain the tiCrypt backend via Libvirt realms, MFA, Mongodb, Nutanix, and service configurations.
Common	Common Firewall, Nginx instructions and installations.
Mailbox	tiCrypt Mailbox configurations, installations and web app instructions.
VM Images	VM Images, from installing, XPra on Linux, debugging, enabling SFTP, Bootup Integration and Apps installation to fully setup working VM images.