Skip to main content

Installation and setup


Our recommended setup uses

  • CentOS/RedHat 7.0 for the operating system
  • Nginx as the webserver in front of tiCrypt
  • firewalld as the firewall software
  • openssl

All the commands in this section need to be executed as root

If Nginx is not installed,you can do:

wget yum -y install epel-release-latest-7.noarch.rpm yum -y update yum -y install nginx

then make sure it is enabled and started:

systemctl start nginx systemctl enable nginx

We now need to set up the firewall to allow Nginx access from outside. If firewalld is not installed and enabled, you can first do:

yum -y install firewalld systemctl enable firewalld

Make sure openssl is installed as well:

Installing tiCrypt from RPMs

The tiCrypt backend is made available in the form of RPMs for CentOS/Redhat 7.0. The latest version is available as a .tgz archive from link:{tc-ver}-1.tgz[]

First step is to download and install these RPMs: [subs="attributes+"]

Grap the archive


Unpack the archive

tar -xzvf ticrypt-{tc-ver}-1.tgz

Install the RPMs

cd ticrypt-{tc-ver}-1 yum -y install *.rpm

Since tiCrypt has 10 services, dealing with them using systemctl is tedious. A small script that performs a service operation on all of the help a lot. Using an editor, create the file with the content: [source,bash]


for s in auth file-manager maintenance proxy stats vm logger notifications rest storage; do
systemctl $1 ticrypt-$s

Make sure you make it an executable:

chmod a+x

Using this script we can now enable all tiCrypt services:

./ enable

Setting up firewall rules for tiCrypt

firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --runtime-to-permanent # save anything you're currently working on
firewall-cmd --permanent --new-service=ticrypt-proxy
firewall-cmd --permanent --service=ticrypt-proxy --set-short='tiCrypt Proxy'
firewall-cmd --permanent --service=ticrypt-proxy --set-description='Encrypted tunnels for tiCrypt VM traffic'
firewall-cmd --permanent --service=ticrypt-proxy --add-port=6000-6010/tcp
firewall-cmd --reload
firewall-cmd --zone=public --add-service=ticrypt-proxy
firewall-cmd --runtime-to-permanent

In the above, we assumed that we will use the port range 6000-6010 for the tiCrypt proxy. If that is not the case, this rule needs to be changed accordingly.

Setting up Nginx config files for tiCrypt

tiCrypt REST API will be set up using file /etc/nginx/conf.d/rest.ticrypt.conf.

The following configuration file is based on Mozilla's SSL Configuration Generator.

Assuming that:

  • The tiCrypt server is abailable at
  • The tiCrypt REST API runs on port 8080
  • The TLS/SSL combined certificate and chain is stored in /etc/pki/tls/certs/example-stacked.crt
  • The TLS/SSL trust chain is stored in /etc/pki/tls/certs/example-chain.crt
  • The TLS/SSL key is stored in: /etc/pki/tls/private/example.key

the configuration file can look like:


# Used to properly map HTTP headers for WebSocket connections
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;

upstream tc-backend {

server {
### Configuration based on Mozilla Configuration Tool
listen 443 ssl;
listen [::]:443 ssl;

ssl_certificate /etc/pki/tls/certs/example-stacked.crt;
ssl_certificate_key /etc/pki/tls/private/example.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;

# curl > /etc/pki/tls/dhparam.pem
# OR
# openssl dhparam -outform pem -out /etc/pki/tls/dhparam.pem 2048
ssl_dhparam /etc/pki/tls/dhparam.pem;

# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/pki/tls/certs/example-chain.crt;

# replace with the IP address of your resolver

### Begin Custom Rules ###

root /var/www/ticrypt-rest;

add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "script-src 'unsafe-inline' 'unsafe-eval' 'self'; frame-ancestors 'self'*";

#### This is critical for tiCrypt ####
client_max_body_size 16M;

location / {
try_files $uri @proxy;

location /static {
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
add_header 'Access-Control-Expose-Headers' 'DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';

location @proxy {
proxy_pass http://tc-backend;
proxy_redirect off;
proxy_buffering off;
proxy_cache off;
proxy_http_version 1.1;
proxy_read_timeout 900s;
proxy_connect_timeout 360s;
proxy_send_timeout 360s;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;

You will need to customize the values for your situation.

We first do:

Create the static directory for tiCrypt REST

mkdir -p /var/www/ticrypt-rest