Skip to main content

VM bootup and integration process

To understand the instructions in the rest of the document, it is important to understand the sequence of steps a VM must take to correctly integrate into the tiCrypt infrastructure.

  1. The tiCrypt backend starts the VM and assigns a VM-UUID which also servers as the VM id

  2. The VM boots using the VM image specified in the VM Brick then goes through the startup procedure and start the tiCrypt Stub

  3. The tiCrypt Stub contacts the tiCrypt Controller Server and downloads the latest global configuration file and the latest VM Controller.

  4. The VM Controller gets started by the Stub and does the following:

    1. Generates an RSA-2048 public-private key pair.

    2. Tries to grab port 22 of the VM. This will be used to support user access to applications. If it cannot bind to port 22 it abandons the whole process. This is intentional since port 22 is the only port that is not blocked by the tiCrypt infrastructure.

    3. Contacts the tiCrypt backend and registers itself by informing of its UUID (determined within the VM) and the VM public key. The reply from tiCrypt backend consists of configuration information and Owner’s Public key

    4. Makes a Websocket connection into the tiCrypt backend waiting for the sister connection coming from the user’s tiCrypt front-end session.

  5. If the VM does not register within a configurable amount of time (5 minutes is typical) the tiCrypt backend will kill the VM for security reasons

  6. When the owner of the VM establishes a connection with the VM Controller via the tiCrypt backend proxied WebSockets, they co-authenticate using respective public keys (which they know at this time) and then they start the rest of the bootup procedure. Up to this point, no user data is available into the VM, only the generic boot image. Then:

    1. The drives are attached, and their keys are sent to the VM controller and mounted (using Bitlocker for Windows and LUKS for Linux)

    2. The user database stored on the first attached drive is used to create the users, groups, and access directories.

Things that can prevent the VM from integrating

  1. The tiCrypt Stub does not start or it does not have Admin/root privileges

  2. The tiCrypt Controller and config cannot be downloaded

  3. Port 22 cannot be grabbed. This happens if OpenSSH is installed (which is needed for the SFTP feature) and it starts automatically at boot (which has to be turned off).

  4. The VM Controller cannot reach the tiCrypt backend to register or to make the WebSocket connection with the front-end.