Skip to main content
Last updated: June 29, 2026Latest Frontend Version: 2.17.3

User Guide Overview

This article introduces everything available to you as a tiCrypt user. It covers three areas: your account and settings, the Vault (tiCrypt's encrypted file management interface), and virtual machines. Each section explains what the feature does, why it exists, and where to find step-by-step instructions.

tiCrypt is accessed through the tiCrypt Connect desktop application, which connects to your institution's deployment. When you register your account, tiCrypt generates a key file containing your private encryption key, which you download and save to your device. You load this key file each time you log in. This key file is essential: it is the only way to decrypt your data. Store backup copies in secure locations and never share it. If you lose both your password and your key file, your data cannot be recovered unless your deployment has key escrow configured (see your administrator for details).

A few concepts appear throughout tiCrypt and are worth defining up front:

  • Teams control resource allocation. Every VM, drive, and storage quota belongs to a team. Your administrator assigns you to one or more teams, and each team defines how many CPU cores, how much memory, and how much drive storage you can use.
  • Projects are a tagging mechanism with system-enforced separation. When a resource (file, drive, VM, or inbox) is tagged with a project, only active members of that project can access it. Projects organize work around research efforts, contracts, or compliance boundaries.
  • Groups are collaborative collections of users who share access to resources. Unlike teams (which govern quotas), groups let you share files and drives with a defined set of collaborators.
  • User Profiles (also called Permission Profiles) bundle a role with granular permissions into a named template. Your administrator assigns a profile that determines what you can do in tiCrypt. If you need access to a feature and do not see it, ask your administrator to update your profile. Your administrator may also use an Onboarding Template to assign your profile, teams, projects, and certifications in a single step.

Account and Settings

The Account and Settings section covers your identity, preferences, and session management in tiCrypt. Access all account features through the Open User Menu icon in the top-left corner.

Profile

Your profile is the central view of your tiCrypt identity. It contains:

  • Overview: your username, email, state, assigned profile, certifications, teams, projects, VM configurations, running VMs, and drives.
  • Properties: your state (Active, Inactive, or Active and escrow on next login, which means your encryption keys will be backed up for recovery purposes at your next login), your assigned User Profile, and your certifications.
  • Associations: the teams, projects, and groups you belong to. From here you can add or remove yourself from teams, projects, and groups (if your permissions allow).
  • Virtual machines: your VM configurations, running VMs, and drives. You can start, share, connect to, and manage VMs directly from your profile.

From your profile you can also transfer files between your Vault and a running VM, open remote desktop connections, launch terminal sessions, and manage drive sharing. All of these actions are available without navigating to separate interfaces.

For step-by-step instructions, see Profile.

Certifications

Some projects require security certifications before you can access their resources. A certification is an attestation that you meet a specific security requirement (for example, training completion or clearance verification). Your administrator or project manager grants certifications, and each one has an optional expiration date.

You can view your certifications in your profile under Properties > Certifications. If a project requires a certification you do not hold, you will not be able to access resources tagged with that project until the certification is granted.

Teams' Resource Usage

This view shows how much of your team's resource quota you and your team are consuming. It displays:

  • Vault storage: total storage available for your encrypted files.
  • Overall team quota: the team's total allocation for CPU cores, memory, and drive storage.
  • Your quota within the team: your personal allocation within the team's limits.

If your resources are running low, contact your administrator to request an increase. This view may require elevated permissions; if you do not see it, contact your administrator.

For step-by-step instructions, see Teams' Resource Usage.

User Settings

User settings let you customize the tiCrypt interface:

  • Toolbar position: move the toolbar to the top, left, bottom, or right of the screen.
  • Theme: choose from Default for OS, Modern, Light, Dark, or High Contrast. The High Contrast theme complies with the Web Content Accessibility Guidelines.

Settings take effect immediately and persist across sessions.

For step-by-step instructions, see User Settings.

Change Password

Changing your password generates a new private key and a new key file. Your old key file will no longer work. After changing your password:

  1. Delete all copies of the old key file.
  2. Download the new key file at your next login.
  3. Store backup copies of the new key file in secure locations.

If your deployment has split credentials enabled (the server stores part of the encryption material separately, so neither the client nor the server alone can recover the private key), the server-side credentials are also regenerated, making the old key permanently invalid. You have five total attempts to enter your current password before your account is locked indefinitely. If your deployment uses key escrow, your administrator may be able to recover your access; contact your administrator for details.

For step-by-step instructions, see Change Password.

Profile Picture

You can upload a custom profile picture or use the system-generated color pattern. Supported formats are EPS and SVG, and the recommended size is approximately 280px tall by 600px wide. You can resize and crop the image within tiCrypt before saving.

For step-by-step instructions, see Profile Picture.

Logout, Exit, and Session Security

tiCrypt provides several session management options:

  • Log out: ends your active session. A 60-second countdown starts; if you do not cancel, the system logs you out automatically. Closing the tiCrypt Connect application window also logs you out immediately.
  • Exit tiCrypt Edge: disconnects from the tiCrypt Connect deployment entirely.
  • Purge key from memory: a security measure that clears your encryption keys from memory. The key is automatically purged when the timer reaches zero.
  • Reset session lock timer: extends your re-login window during inactivity. The timer resets automatically.
  • Download debug logs: exports diagnostic logs to your local machine for troubleshooting.
  • Return to Connect: switches between deployments (when your institution has two or more).

For step-by-step instructions, see Logout and Exit.


Vault

The Vault is tiCrypt's general-purpose encrypted file storage, independent of any virtual machine. It is separate from the encrypted drives attached to VMs: drives hold data you work with inside a VM, while the Vault holds data at rest outside of VMs. The Vault also serves as the audited passthrough between external data sources and VMs. All file transfers into and out of VMs flow through the Vault, ensuring every operation is logged.

Every file stored in the Vault is split into 8 MB chunks, each encrypted independently with a unique AES-256 (Advanced Encryption Standard with 256-bit keys) key on your device before upload. The server infrastructure never holds your encryption keys. This means that even system administrators cannot read your files.

The Vault has five main areas, accessible from the Vault icon in the top-left taskbar: My Files (your personal file tree), Users (team members you can collaborate with), Groups (collaborative user collections), Projects (tagged groupings of resources), and Inboxes (secure file-receiving endpoints for external collaborators).

Users

The Users area shows other tiCrypt users you can collaborate with. What you see depends on your role:

  • Users see other members of their own teams.
  • Sub-Admins and Admins see users of teams they manage.

This view is where you find collaborators when you need to share files, add someone to a group, or invite a user to a project.

For step-by-step instructions, see Users.

Groups

Groups are collaborative collections of users who share access to files and resources. You can create groups, add members, and share files with an entire group in a single action rather than sharing with each user individually. Groups can also be associated with projects, and group membership determines which project resources are visible to group members.

Key group operations:

  1. Create a group and name it for your collaboration (e.g., "Lab Meeting Data").
  2. Add members from users visible to you.
  3. Share files with the group, granting all members access at once.
  4. Transfer ownership of a group to another member when responsibilities change.

For step-by-step instructions, see Groups.

Projects

Projects in the Vault are a tagging mechanism with system-enforced separation. When you tag a file, drive, VM, or inbox with a project, only active members of that project can access it. This enforcement is automatic and cannot be bypassed.

Projects organize resources around research efforts, contracts, or compliance boundaries. Some projects require security certifications: you must hold valid certifications for all requirements at the project's security level before you can access its resources.

Key project operations:

  1. View projects you are a member of from the Vault's Projects card.
  2. Tag resources with a project to restrict access to project members.
  3. Create subprojects (if you manage the parent project) for finer-grained organization.
  4. View members and their roles within a project.

For step-by-step instructions, see Projects.

Files

The Files area is the core of the Vault, where you manage your encrypted file tree. As described in the Vault introduction above, all files are encrypted and decrypted on your device. The server never sees the plaintext.

Creating Files and Directories

You can create directories to organize your work and create new files within those directories. Directories form a tree structure in the left panel of the Vault.

For step-by-step instructions, see Create.

Uploading Files

You can upload files through two methods:

  1. Upload button: click the Upload button in the top panel, select files from your local machine, and confirm.
  2. File Transfer Hub: a built-in drag-and-drop interface within the browser for transferring files between your local machine and the Vault.

Uploads support bulk actions, so you can select multiple files at once.

For step-by-step instructions, see Upload.

Downloading Files

Download files from the Vault to your local machine. The encrypted chunks are retrieved from the server, decrypted in your browser, and assembled into the original file. You can download individual files or select multiple files for bulk download.

For step-by-step instructions, see Download.

Viewing Files

View file contents directly within tiCrypt without downloading. The viewer decrypts and renders the file in your browser, supporting common file types.

For step-by-step instructions, see View.

Sharing Files

Share files with individual users or entire groups. Sharing grants each recipient an independently encrypted copy of the file's decryption key, so the server never has access to the decrypted content.

When sharing, you can set expiration dates and restrict recipients from viewing, downloading, or editing the file. Files can be shared only with groups you are a member of. Sharing supports bulk actions for selecting multiple files.

For step-by-step instructions, see Share.

Transferring Files

Transfer files between locations within the Vault, including between your personal file tree and shared spaces. Transfers support bulk selection.

For step-by-step instructions, see Transfer.

Renaming Files

Rename files and directories within the Vault.

For step-by-step instructions, see Rename.

Changing a File's Project Tag

Change which project a file is tagged with. This controls who can access the file: only active members of the tagged project will have access. If you are a project manager, you can also declassify files (remove the project tag).

For step-by-step instructions, see Change Project.

Viewing File History

View the version history of a file, including access, sharing, and project tagging history. This provides a complete audit trail of who accessed or modified the file and when.

For step-by-step instructions, see View History.

Computing Disk Usage

Check how much storage your files consume within the Vault. This helps you monitor your usage against your team's storage quota.

For step-by-step instructions, see Compute Disk Usage.

Deleting Files

Permanently remove files from the Vault. Deletion is irreversible.

For step-by-step instructions, see Delete.

Inboxes

Inboxes are secure file-receiving endpoints that let external users upload files into your Vault without needing a tiCrypt account. You create an inbox, set an expiration date and upload capacity, and share the generated URL with the uploader. Files uploaded through the inbox are encrypted and deposited into a directory you specify.

Inboxes are useful for receiving data from collaborators, research subjects, or external partners who do not have tiCrypt accounts.

Key inbox operations:

  1. Create an inbox by specifying a name, parent directory, expiration date, capacity, and a message for the uploader.
  2. Share the URL with the person who needs to upload files.
  3. Manage access points to view, edit, or delete inbox configurations.
  4. Convert a directory into an inbox by selecting "Manage Inbox" from the directory's menu.

For step-by-step instructions, see Inboxes.


Virtual Machines

tiCrypt provides fully encrypted virtual machines that run on isolated infrastructure. VM images reset on every boot, eliminating persistent malware. Drives attached to VMs are encrypted with LUKS (Linux Unified Key Setup, a disk encryption standard) for Linux or BitLocker for Windows, with encryption keys provided by the data owner. The server infrastructure never holds drive encryption keys.

Access virtual machines through the Virtual Machines icon in the top-left taskbar. The VM interface has four sections: VMs (your VM table), Drives (your encrypted storage), Terminals (command-line access), and Slurm (batch job submission).

Understanding the VM Lifecycle

Working with virtual machines in tiCrypt follows a consistent flow:

  1. Create a VM configuration: select a hardware setup (a preconfigured template, created by your administrator, that bundles an OS image with CPU cores, memory, and optional devices like GPUs), attach a home drive and any extra drives, assign the configuration to a team, and optionally tag it with a project.
  2. Start the VM: launch the configuration. tiCrypt provisions the VM on the host infrastructure, boots the image, and attaches your encrypted drives.
  3. Connect: access the running VM through RDP (Remote Desktop Protocol), a browser-based terminal, or a VNC (Virtual Network Computing) console.
  4. Work: use the VM as a standard Linux or Windows machine. Your drives are decrypted inside the VM using your keys.
  5. Transfer data: move files between the VM and your Vault, or use SFTP for larger transfers.
  6. Shut down: stop the VM when finished. The VM image resets to its clean state; only your encrypted drives persist data between sessions. Any software you install or settings you change inside the VM will not survive a reboot. If you need additional software in the base image, contact your administrator.

VM Table

The VM table shows all VMs you own, co-own, or have access to via sharing. Each VM displays its connection status, ownership type (owner, co-owner, or shared), and debug/FIPS (Federal Information Processing Standards, a government security compliance mode) indicators.

From the VM table you can:

  • Pin frequently used VMs for quick access.
  • View VM status: Connected, Running, Stopped, Not Running (error), or Unknown (processing).
  • Create, edit, share, start, and delete VM configurations.
  • Connect to running VMs via RDP, terminal hub, or VNC.
  • Transfer files between a running VM and your Vault.
  • Open an SFTP pathway for large data transfers via a proxy connection.

To connect to a project-tagged VM, you must be a member of that project.

For step-by-step instructions, see Virtual Machines Table.

Drives

Drives are encrypted virtual disks that persist your data between VM sessions. Every drive has an owner, belongs to a team, and can optionally be tagged with a project. Supported filesystem formats include EXT4, BTRFS, NTFS, XFS, and ZFS.

The drive lifecycle:

  1. Create a drive: specify a name, team, capacity, and filesystem format.
  2. Attach to a VM: connect the drive to a running or configured VM. A read-write drive can attach to only one VM at a time; a read-only drive can attach to multiple VMs simultaneously.
  3. Use in the VM: the drive appears as a standard filesystem volume, decrypted with your keys inside the VM.
  4. Detach: disconnect the drive from the VM when finished.
  5. Share: share drives with other users in read-write or read-only mode. A drive must be formatted and attached to a VM at least once before it can be shared.

Additional drive operations:

  • Change project tag: restrict drive access to project members.
  • Transfer ownership: hand a drive to another user (the drive must be shared in read-write mode with at least one user before ownership can be transferred).
  • Migrate: move a drive between storage pools.
  • Access via File Explorer: browse drive contents from within the VM interface.

For step-by-step instructions, see Drives Table.

Terminals

The Terminal Hub provides browser-based command-line access to your running VMs. You can open multiple terminals to the same VM simultaneously and arrange them in split layouts.

Key terminal features:

  • Multiple terminals: open as many terminals as needed (recommended maximum of 16 for organized workflows).
  • Split view: drag and drop terminal tabs to create side-by-side layouts.
  • Minimize: collapse terminals you are not actively using. Minimized terminals remain active.
  • Reset layout: restore all terminals to their default arrangement.

A home drive must be attached to the VM before you can open a terminal.

For step-by-step instructions, see Terminals.

Submitting Jobs via Slurm

tiCrypt integrates with Slurm (Simple Linux Utility for Resource Management) for scheduling compute jobs on secure infrastructure. Jobs are submitted from within a tiCrypt virtual machine through the terminal or an RDP session.

To use Slurm, your VM must be configured as a Slurm submit host by your system administrator, and the VM image must have Slurm installed. You submit jobs from inside the VM using standard Slurm commands.

The typical workflow:

  1. Verify availability: run sinfo in the VM terminal to confirm Slurm is configured.
  2. Compose a job script: write a shell script with #SBATCH directives specifying resource requirements (CPU cores, memory, time limit, partition) followed by your workload command.
  3. Submit the job: run sbatch myjob.sh to queue the script, or use srun for direct execution and interactive sessions.
  4. Monitor progress: run squeue --me to list your queued and running jobs.
  5. Review results: run sacct to check resource consumption after completion.

Both sbatch (batch submission) and srun (direct execution, including interactive sessions) are supported. The workload command can be any program callable from the shell: Python, R, compiled binaries, shell pipelines, or other tools.

For step-by-step instructions and example job scripts, see Submitting Jobs via Slurm.

Remote File System

A remote file system via SSHFS (Secure Shell Filesystem) establishes a one-way connection from your local machine into your virtual machine. Once connected, you can write files from your local drive into the VM. Downloads and file reads from the VM are blocked by design to prevent data exfiltration. This provides an efficient way to transfer data into your VM and integrates with external SFTP tools.

Setting up a remote file system requires installing macFUSE and SSHFS (macOS) or WinFsp and SSHFS-Win (Windows) on your local machine. Your Linux VM must be configured for SFTP (Secure File Transfer Protocol). Separate licenses may be required for non-personal or commercial use.

For step-by-step instructions, see Remote File System.


How the Sections Connect

The three areas of the User Guide form an interconnected system:

  1. Your account determines what you can do. Your permission profile controls which Vault operations, VM features, and project interactions are available to you. If a feature is not visible, your profile may not include the required permission.
  2. Teams set your resource limits. Every VM and drive belongs to a team. Your team's quota determines how many cores, how much memory, and how much drive storage you can use. Check your usage in Teams' Resource Usage.
  3. Projects restrict access to resources. Files, drives, VMs, and inboxes tagged with a project are accessible only to project members. Some projects additionally require security certifications.
  4. Groups simplify collaboration. Instead of sharing files with individual users, share with a group to grant access to all members at once.
  5. The Vault and VMs share data through file transfers. You can transfer files between the Vault and a running VM through the built-in transfer interface, SFTP pathways, or remote file system mounts.
  6. Drives persist data across VM reboots. VM images reset on every boot, but encrypted drives retain your data. Share drives with collaborators to give them access to the same persistent storage.