Skip to main content

Configuring services

The types of values used in the description of parameters are:

String"an example"String value
Booltrue, falseBoolean value
Int42Whole number value
Port22Number between 0 and 65535
Range"5000-5010"Range of ports
Duration1 minute, 3 daysDuration with unit of measure
Size16 MiB, 3 GBFile size with unit of measure
ArrPort[5000, 5002, 5005]List/Array of port values
ArrString["a", "b", "c"]List/Array of string values
ArrNET[ ]List/Array of IP networks

Each of the ten services that make up tiCrypt backend has its own configuration file and options. Two of the services require complicated settings, and they have their own chapters:

  • ticrypt-auth: See ???

  • ticrypt-vm: See ???

Shared Sections

Almost all the services need the following sections. The configuration is virtually identical across services.

mongodb section

All tiCrypt services use MongoDB as the backing database. Each of the ten services has its own database that can have its unique connectivity options. The supported parameters are the same.

databaseStringThe name of the MongoDB database
hostnameStringHostname hosting the MongoDB server
portPortPort of MongoDB
userStringUser name for MongoDB
passwordStringThe password of user

Alternatively, the uri parameter can be specified. It has the form: "mongodb://user:password@localhost:27017/${database}"

Do not specify both the uri and the hostname,port,user, password` parameters.

ticrypt.auth section

All the services need to know how to contact ticrypt.auth. They all must have the section ticrypt.auth in their configuration file with the parameters:

hostnameStringHostname of ticrypt.auth
portPortPort on which ticrypt.auth runs

akka parameters

The tiCrypt services use the AKKA framework to communicate. Two parameters are controlling the AKKA communication.


Specifies the interface on which to listen. If all the services run on a single server, the value is appropriate.


This is the port number on which the component listens. Keep the default value for each component since it guarantees non-collision. It can be changed, but with caution.

ticrypt-rest config

ticrypt-rest section

mongodbSectionSee mongo-ti
http.hostStringThe host to listen to
http.portPortThe port to listen to
allowed-originsArrStringList of origins. Empty means all
vm.internal-networksArrNETList of internal nets.
validation.request-jsonon, offTurn on JSON request validation?
validation.response-jsonon, offTurn on JSON response validation for cookie problem

akka.http.server section

The goal of this section is to specify AKKA parameters controlling the HTTP server.

parsing.max-content-lengthSizeMax content size
request-timeoutDurationMax duration of request
idle-timeoutDurationMax duration of connection
pipelining-limitIntHow many request in parallel?

parsing.max-content-length must be 50% more than the length of a chunk. The default "16 MiB" value is recommended.

idle-timeout must be longer than request-timeout

ticrypt-file-manager config

Parameters for section ticrypt.filemanager

mongodbSectionSee mongo-ti
chunk-sizeSizeChunk size
max-header-sizeIntMax header size
akka.remote.netty.tcp.hostnameSee akka
akka.remote.netty.tcp.portSee akka

There should be no reason to change the chunk-size value from 8GB

max-header-size is a dangerous value to change—the default of 64 bytes future proofs the tiCrypt instance.

ticrypt-storage config

Parameters for the section

pathStringPath to file storage directory
idle-timeDurationHow long to wait on connection
idle-checkDurationHow often to check on connection
akka.remote.netty.tcp.hostnameSee akka
akka.remote.netty.tcp.portSee akka

ticrypt-proxy config

Parameters for the section ticrypt.proxy:

interfaceStringInterface to listen on
portsArrPortsPorts to use
proxy-ttlDurationHow much to wait for connection
akka.remote.netty.tcp.hostnameSee akka
akka.remote.netty.tcp.portSee akka

interface parameter is critical. You must listen only on the domain used for proxying. Failure to do so can open security attacks.

ports can specify ranges. E.g. [ "6000-6010" ]

The ports specified by the ports parameter must be accessible from the outside. The firewall rules must be coordinated with this option.

ticrypt-logger config

Parameters for the section ticrypt.logger:

driversSectionSee below
rotate-logon, offRotate the logs?
rotate-log-frequencyDurationHow often?
rotate-log-suffix-formatStringFormat 1
rotate-log-suffix-timezoneStringTimezone, default UTC
max-buffered-linesIntHow many lines to buffer?
akka.remote.netty.tcp.hostnameSee akka
akka.remote.netty.tcp.portSee akka

See - Time and Date↩︎ The default parameters should be suitable for most situations. The only parameter you should contemplate changing is max-buffered-lines if you notice performance degradation.

drivers section

The goal of this section is to specifies how the logs are stored. A typical setup is the following

drivers {
main-file-logger {
main = true
immutable = true
type = "file"
log-file = "/var/log/ticrypt/ticrypt-secure-log.log"
tcp-logger {
immutable = false
main = false
type = "tcp"
host = "localhost"
port = 25000
send-timeout = 30s
retry-timeout = 5s


The main-file-logger is a master copy of the log and is kept locally. The tcp-logger specifies a remote logger that is updated on port 25000 hosted on localhost.

The tcp-logger is primarily used by tiCrypt Audit.

Changing the main-file-logger is problematic since it might result in a non-functioning system.

ticrypt-stats config

Parameters for the section ticrypt.stats:

akka.remote.netty.tcp.hostnameSee akka
akka.remote.netty.tcp.portSee akka

ticrypt-notifications config

Parameters for the section ticrypt.notifications:

akka.remote.netty.tcp.hostnameSee akka
akka.remote.netty.tcp.portSee akka

ticrypt-maintainance config

Parameters for the section ticrypt.maintainance:

account-lockerSectionSee below
akka.remote.netty.tcp.hostnameSee akka
akka.remote.netty.tcp.portSee akka

account-locker section

enabledBoolIs the feature enabled?
frequencyDurationHow often to check?
time-before-account-oldDurationWhen is the account old?

ticrypt-backup config

Parameters for section ticrypt.backup:

public-key-locationStringFile where SSH public key is stored (for remove SSH authentication)
identifierStringThe prefix for backup directory names
backup-baseStringDirectory where to place backups
storage-baseStringDirectory where file chunks are stored. Must match value in ticrypt-storage
backup-minIntTime in hours from midnight for backup time window
backup-maxIntTime in hours from midnight for backup time window