VMs
What are the Virtual Machine Configurations?
Virtual machine configurations combine operating system hardware and drives, enabling users to manage and manipulate files and data within an OS-specific environment.
They allow users to run unique operating systems and their associated applications, creating a customized workspace for specific tasks.
Once a configuration is created, users can launch the VM using that configuration.
Each VM configuration can have multiple drives attached to it.
The following analogy describes how to use and manage virtual machines.
Imagine your hard disk is like a large library with many books. The memory serves as the library desk, where you can access your files much faster, but you still need to retrieve them from the library shelves.
Most operations happen on your desk (memory). When you leave the library, everything on your desk is returned to the library shelves (hard disk).
What is the Difference Between a VM Configuration and a VM ?
The VM configuration provides the necessary information to start the VM. The VM itself is the virtual machine where users spend significant time conducting research tasks.
What is the Purpose of VM Profiles?
VM Profiles in virtual machines are a management tool for handling multiple accounts with specific custom permissions.
Instead of manually configuring permissions for many users, you can create a user profile and apply it to a group of VM users simultaneously.
Your VM profile information is based on your user profile in tiCrypt.
Your VM profile includes basic information such as your username, date added to the VM, role, permissions, read-write and read-only access directories, and groups.
Your VM profile is view-only; admins manage profile changes and roles.
You must have the following user permissions for VM profiles.
- . User Administration
- . View profiles (roles/permission templates)
- . VM Administration
- . View own VM configs and configs shared with them
- . View own VMs and VMs shared with them
Changes in a VM User profile are global to all users with the same VM profile.
What is the Difference between Stopped, Starting, Running, Suspended and Stopping VM States?
- Stopped: turned off normally.
- Starting: attempting to enstablish the connection.
- Running: actively running showing up under "Running VMs" section.
- Suspend in a reserved state for an unlikely situation (future use).
- Stopping: attempting to cancel the connection.
What is the Difference between Enabled vs. Disabled Debug in VMs Table?
Debug mode determines whether you can debug the selected VM.
Although Debug mode allows you to interact with the VM, debugging can pose a threat to VM security. As a result, debug mode should only be used by system admins temporarily. You should never have a VM in debug mode while it is running in production.
- Visit the Set Up VNC in a VM Hardware Setup to activate or deactivate debug mode from your associated VM.
- Visit the Debug a VM section to learn more about backend debugging.
What is the Conn Column in VMs Table?
The Conn column stands for Connected or Not Connected.
This column helps admins identify if there is a connection problem with the VM without accessing the VM.
Your VM must have a connection to the backend. If the connection is off, the VM Controller is not correctly performing the communication procedure between the VM configuration and the backend.
The VM may be in a bad state or completely unresponsive, resulting in your inability to communicate with it.
If a VM does not establish connection in a few minutes you will need you to put it into debug mode.
What is the Difference between RW Drives and RO Drives in VM Configurations Table?
The acronym RW stands for ReadWrite drives, while RO stands for ReadOnly drives.
What is the Purpose of the Fixed MAC Column in VM Configurations Table?
The Fixed MAC column helps system admins manage software that binds the licences to the MAC address.
Suppose you purchase software for your Mac.
Most software require system admins to link the Mac address to the software purchase in order to receive a signed digital certificate that allows local use.
If the MAC address is dynamic, every time the user starts their VM, the system admin would have to contact the software company and request a new signed digital certificate for the new MAC address. Using a fixed MAC address allows system admins to set up the software once for all users in the system, enabling licensing at scale.
You should try to avoid using a Fixed MAC address unless you really need one.
What is the Purpose of the Network In & Out Stats in the VM Panel?
Network in & out displays the . ingress and . egress data into your Virtual Machine configuration.
Data ingress and egress indicate how much data is transferred live in and out of the VM.
This data helps to determine the network traffic to the owners of the Virtual Machine.
Can I Still Use My Desktop to Carry Out Normal Tasks with tiCrypt?
Virtual Machine configurations do not have any connection to the internet for security purposes.
You may use your desktop as a research desk, but all stored results should be processed within the VMs.
Use either one of these workflows when you perform research:
- Transfer the program you wrote on your local machine into your VM.
- Write the program directly in your VM.
What means Double-Permission in tiCrypt VMs?
A new VM is similar to a new local machine; double-permission means your VM is both access-controlled and cryptographically secured.
To access your VM, you must convince the system that:
- You have the SHA-256 encrypted key to access the VM resource.
- You have permission to access the encrypted hard drive of the appropriate VM.
- tiCrypt access control enforces mechanisms for compliance.
- You can never get access to a key unless specifically given; everything is in the audit logs.
Super-admins can control the access, but they cannot give you a VM resource key.
Where Should I Save My Research Data in tiCrypt?
Your data should always be saved in your Virtual Machine, which writes it to your encrypted drive.
To save data efficiently, we recommend starting an RDP connection before resuming your research.
Follow the instructions in Access a Virtual Machine Configuration via Remote Desktop Connection (RDP).
What is the Benefit of Adding Teams and Groups in a VM?
When working with a large number of users, you can add teams or groups to a VM and grant them access in bulk.
This ensures consistent permissions across all members of the team or group.
Are the User Profiles similar to VM Profiles?
No.
They are fundamentally different.
The VM User Profiles are sets of identical permissions stored in VMs as a single unit that can tag certain users for VM management.
The User Profiles are a set of permissions in the system which allow certain actions via ACLs to various parts of the user infrastructure.
What is the purpose of VM Groups?
Groups are used to restrict access to directories. Groups can be added or removed from a virtual machine. If a group has access to a specific directory, then only that group can see that directory.
The group must be created first, and then users can be added. The users must be shared the VM to be added to the group.
What are the VM Access Directories?
Access directories are folders within a virtual machine. These folders may be restricted so that only group members who were given access may view them. When creating an access directory, an owner must be assigned. Access mode is ready-only for all users and read-write for drive owners.
What is the difference between VM Access Directories and Inbox Access Directories?
An inbox access directory can only be applied to an inbox as an entry point directory for external collaborators.
VM Access directories are folders within the VM that allow access to the encrypted drive. VM Access directories are only visible to the users who launch the VM.
What is the Difference between Access Directories in the Vault and VM Access Directories?
Access directories are part of the VM by default. Vault access directories represent the user's local machine, enabling easy file transfer between the local system and the VM.
What is the Purpose of Controller Logs?
. Controller Logs display all logs or reports of the virtual machine's behavior.
Each log has a number, a timestamp, and a description of the event. They serve the compliance purpose as well as debugging.
What is the Difference between Disconnecting and Shutting Down a Virtual Machine?
A fundamental difference exists between shutting down a virtual machine and disconnecting a virtual machine.
Example: When the user unplugs their computer from the power source, they shut it down. When the user steps away from their computer, they are disconnecting from it.
What is the Difference between Viewing Logs in Controller Logs section vs. the Open Menu in VMs?
The Controller logs section is designed for VM owners and VM users who have the permissions to view the logs of their VM. The Viewing logs option from the open menu serves Super-admins for overall management of VMs.
Both options serve the same purpose, but they are designed for two different roles in the system.
The same view logs option is available for Admins and Super-admins in the Management section under VM Configurations subsection.
Why Should I Share Access to My Virtual Machine?
It is necessary to share your VM with your user research group for the following reasons:
- If your VM gets shut down, and you lose access when new software needs to be installed, a different group member can help you manage or debug the VM.
- If your VM is allocated to multiple team members for a particular project, you can speed up the progress of the project through collaboration via the same VM.
- If you travel on a holiday or change workplaces and a new user needs to take over your VM, sharing the VM can make this process possible.
What are the Access Controlled Lists in the Virtual Machines?
There are two types of ACLs mechanisms in tiCrypt:
- Access Directories.
- VM Controller.
Access Directories
The mechanism that allow Access Controls implementation at Virtual Machine level.
VM Controller
The mechanism serving the Permission Management purpose.For example, roles and restrictions in VMs are VM Controller responsibilities.
What are the Built-in Access Control Lists Templates?
Built-in Access Control Lists are templates to simplify the use of Windows VMs.
They are designed solely for Windows VMs to help users manage permissions, similar to Linux VMs.
Linux has three system permissions. However, Windows has 13 system permissions—any combination of changes in permissions can have a significant impact on how users operate their Windows machines.
As a precaution, tiCrypt implemented built-in ACL templates to provide flexibility when managing complex technical situations.
Since Windows allows system admins to be very creative, tiCrypt uses two pre-built templates by default:
- Read-Write: with three active permissions in Windows.
- Read-Only: with one active permission in Windows.
The ACL templates support users' work in their Windows VMs, so users do not have to manually build a template before being able to use a Windows VM.
This is an advanced feature. You should not create custom ACL templates right after you build your Windows VMs, unless necessary. For every change in Windows permission settings, you must be technically prepared to pay the cost of running it. The more control you desire, the more preparation is required to maintain that control.
Windows itself will not display all its 13 permissions because it has its own pre-built templates.
What Happens when you Replace ACLs Templates?
You can break your Windows VM if your permissions conflict with the work you are trying to carry out in the VM.
As a best practice, you should keep things simple by using the default tiCrypt templates for Windows and avoid going beyond the default settings unless you specifically know what you are doing.
How do I Share My Virtual Machine?
There are two ways you can share a VM.
Share for VM Co-ownership
When you share VM for co-ownership purposes, you are giving direct access to the VM drives. This must be carefully conducted since the co-owners of the drives may take over the drives for themselves and make their own VM with them, leaving you with no storage space. As a result, you should share the VM only with a limited number of co-owners.
Follow the instructions from Share a Virtual Machine with Other Users.
- Ensure you pre-select the co-owners of your VMs.
- Users must be part of the same team to share VM configurations.
- Users shared with the VM must refresh their virtual machines list to view the new shared VM.
- Co-owners can mount drives if given the approriate permissions.
For best practice, you should have at least two owners per VM.
Share for User Access
When you give users access to use your VM, you will share a part of the VM with the users; however, they will not be able to approach the drives, hence minimizing the security risks. Once shared with a user, the VM configuration may be launched by that user directly. Same-team users can share the VM further only with other same-team users.
Follow the instructions from Add Users to a Virtual Machine.
You may have a large number of managers in a VM without them having access to its drives.
Can my Local Machine go to Sleep During an SFTP to VM Transfer?
Yes.
When you use the provided workflow to run an SFTP transfer either in Mac OS or Windows, the process is automatically running even if your local machine goes to sleep.
If you reset or shut down your local machine, the transfer process will be interrupted.
What is the Cryptographic Mechanism Behind an SFTP to VM Transfer?
During an SFTP to VM transfer, your private key is used to encrypt the transfer, ensuring secure communication between your local machine and the SFTP Drive.
However, this process depends on the local policies configured on your machine.
Your local machine will not shut down during an SFTP to VM transfer lasting up to 12 hours, unless you are using a VPN, which may auto-disconnect after 12 to 16 hours, interrupting the transfer.
How to Prevent my Local Machine to go to Sleep During a Long SFTP to VM Transfer?
For Mac
- Open System Preferences and navigate to Energy Saver.
- Adjust the settings to prevent your Mac from sleeping during the transfer.
- Ensure Prevent computer from sleeping automatically when the display is off is checked.
For Windows
- Open Control Panel and go to Power Options.
- Select your active power plan and click Change plan settings.
- Set Put the computer to sleep to Never during the transfer.
- Save the changes.
How to Start Using my Virtual Machine?
The virtual machine is usually the place where you spend most of your time during your research.
1. Turn On Your Virtual Machine
Follow the instructions from the Turn On a Virtual Machine Configuration.
You will be prompted to type your password and then notice the Virtual Machine connecting to the drive automatically.
2. Connect to Your Virtual Machine
Follow the instructions from the Connect to a Virtual Machine Configuration.
3. Open Remote Application (RDP)
Follow the instructions from the Access a Virtual Machine Configuration via Remote Desktop Connection (RDP).
How do I Solve a VM Permission Issue?
Follow the instructions in Sync Users’ Permissions in a Virtual Machine.
Alternatively, follow the instructions in Re-authorize User Permissions.
What is the Re-Authorize User Permissions Mechanism in a VM Configuration?
When re-authorizing user permissions, the following actions take place automatically.
- Backend asks the tiCrypt server which users can connect to your VM.
- Backend checks who the VM trusts via its registered user list and users' roles in the VM (user or manager).
| User is registered on the Server | User is registered in the VM | Automated Action |
|---|---|---|
| Yes | Yes | No action is taking place. |
| Yes | No | The VM is synced with the server. |
| No | Yes | The system de-authorizes the user and then re-authorizes them with the correct user role (user or manager). |
| No | No | Re-register the user in the VM. |
- This command is available to VM owners only.
- VM configuration owners who were not registered in the VM but are registered on the server will be automatically added as managers with full permissions to the VM configuration.
What Is the Dynamics Between Teams and VMs?
Teams serve the management purpose and are necessary for a user to be active in the system.
Virtual Machines user management is based on single users and does not depend on teams at all.
For example, a user can be part of several teams and belong to a single VM, while another user can be part of one team and belong to several VMs. As a result, teams and VM user management are not connected by default; however, users must belong to at least one team to be able to use VMs.
If you want to add to a VM all users who belong to the same team, as part of your management structure, you can do that by following the instructions in Add Users to a Virtual Machine.
To learn more about teams, navigate to the Teams.
Do I Need a Team to Be Able to Create a VM Configuration?
Yes.
A team is necessary to be able to create a VM configuration, as the team maintains the hardware and software quotas.
Do I Need a Project to Be Able to Create a VM Configuration?
No.
A project is optional to be able to create a VM configuration, as not all VMs have a security level associated with them.
What Hardware Controls the VM Configurations?
VM configurations are controlled by hardware setups located in the VM Hardware Setups section. This section is typically maintained by Admins or Super-Admins.
What is the Projects Restriction Mechanism in VM Configurations?
Restricted projects in VMs are enforced as follows:
- Unrestricted VM configurations = Unrestricted drives
- Restricted VMs + Read-and-Write drives = Same level of project restriction required
- Restricted VMs + Read-only drives = Same level restriction or unrestricted project allowed
Please recall that VM configurations that are restricted by a project have higher restrictions and must match up with the drive.
Why I Cannot Edit my VM?
You cannot edit a VM if you are not its owner.
You must ask the owner of the VM to edit it for you.
To find the VM owner follow the steps below:
- Go to the Virtual Machines icon in the top left taskbar.
- Click the Virtual Machines Table Overview section on the top left panel.
- In the left panel, click the virtual machine to contact its owner.
- Scroll down and click the User Management card.
- Under the Role column, find the user with the "Owner" role.
- Contact your VM owner to help you edit the VM configuration.
- New added users must connect to the VM configuration; they do not need to attach any drive.
- Users can add other users to the VM configuration if they are on the same team and have permission to add other users.
What is the Relationship Between VM User Profiles and Projects?
VM User profiles are "colluded" with projects due to permissions gaining an unfair advantage over other system functions.
Both VM User profiles and projects include permissions in the Virtual machines, which makes them power features. However, projects are above VM User profiles and other functions in tiCrypt. Projects can get to a point where super-admin roles lose access due to security purposes.
In principle, VM User profiles are designed to help with virtual machine management where large numbers of users belong to the same VM configuration. Projects are the strongest in terms of security.
- VM User profiles are access controlled.
- Projects may be both access controlled and cryptographic.
Follow the instructions from the Add User Profiles in a Virtual Machine.
Optionally, follow the instructions on how to Import User Profiles from the Same or Other Virtual Machines.
View the Logs of the Virtual Machine to understand the behaviour of VM User Profiles in a project-tagged VM.
How do I Differentiate User Roles in a VM Configuration?
- Go to the Virtual Machines icon in the top left taskbar.
- Click the Virtual Machines section on the top right panel.
- In the left panel, click the virtual machine to view its users roles.
- Scroll down and click the User Management card.
- View the users and managers under the "Role" column.
How Can VM User Profiles Help my Team?
VM User Profiles allow permission-based access for VM users in the virtualized computing environment.
Traditionally, virtual machines allow for the isolation of software, applications, and user configurations, enabling multiple profiles to coexist on a single physical machine. tiCrypt goes beyond physical environments allowing VM user profiles to coexist in an end-to-end encrypted and fully isolated virtual machine environment.
VM User Profiles improve the following processes:
- User management settings
- User network management
- Bulk permission actions
- Ability to delegate data responsibility between VM and Vault
- Control drive, groups, remote applications access
- System statistics
- VM User profiles are unique because they can alter all actions that can be performed by users in their VMs.
- Permissions of VM Profiles in the Virtual Machines have nothing in common with a user profile's permissions from My Profile section in the open user menu.
- VM User profiles maintain user separation of duties at all times.
Why is the Internet Access Not Working for my VM?
Your VM is fully isolated from any external connections that may pose a threat to your research.
tiCrypt cuts down all inbound and outbound internet access from your VMs to prevent data exfiltration.
For example, if you acquire software that runs well on your VMs but "calls home" to report information about you, a hacker could exploit this connection to compromise your virtual machine, putting your work at risk.
- Many times, the software is blocked when put into tiCrypt because it sends data home about you.
- The large majority of software reports to Google and Microsoft.
You can use your local machine's internet access to collect data, then transfer it into your VM to process and organize it.
Are the VM User Profiles Similar to User Profiles?
No.
They are fundamentally different from each other, and no common point is attached to them.
VM User Profiles
Virtual Machine User Profiles help standardize user management for VM configurations.
The size of your VMs determines the need for a VM User profile.
- If your virtual machine has a few members, VM user profiles may not be necessary.
- If your virtual machine has many members, VM User profiles are recommended for standardized management, defined roles, and proper organization.
There are, in total, nine permissions for users and eleven permissions for managers, as shown in the table below.
User Role
| Permission | Description |
|---|---|
| Users | View other users. |
| Files | View / edit files. |
| VM to Vault transfer | Transfer files to tiCrypt Vault from VM. |
| Vault to VM transfer | Upload files to VM and create directories. |
| Terminals | Open terminals through tiCrypt. |
| Remote application access | Allows VM application access from user desktop. |
| Access Directories | View access directories. |
| Groups | View groups. |
| System Statistics | View real-time system utilization. |
Manager Role
| Permission | Description |
|---|---|
| Users | List, create, delete and modify users. |
| Drives | List, format, mount and unmount drives. |
| Files | View, edit, and delete files and directories. |
| VM to Vault transfer | Transfer files to tiCrypt Vault from VM. |
| Vault to VM transfer | Upload files to VM and create directories. |
| Terminals | Open terminals through tiCrypt and interact with other users' terminals. |
| Remote application access | Allows VM application access from user desktop. |
| Access Directories | List (all), create, delete and modify access directories. |
| Groups | List (all), create, delete and modify groups. |
| System Statistics | View real-time system utilization. |
| Full drive access | Owner-like manager permissions. |
| Restart VM controller | Can restart VM controller to update or fix issues. |
| Sudo (Admin) Access | Allows you to grant administrator privileges to user. |
VM users are set VM profiles to Custom by default if:
- They do not have a VM profile.
- They have manual permissions set in place.
Your user role in the system does not depend on your VM profile. For example, you can be a Super-admin in the system and still have a standard user VM profile and vice-versa.
User Profiles
User Profiles are the standard primary system profiles that are based on custom permissions set by the admins.
They are being used to "stamp" accounts at any time eliminating the need to configure permissions individually and bulk apply a user profile to multiple users in the system.
For instance, an admin can set up a user profile for the newly activated users, which accelerates the onboarding process and reduces the likelihood of errors with permissions.
There are in total one hundred and forty permissions in the tiCrypt user interface.
To view all permissions in the tiCrypt user interface follow the documentation in Permissions.
It is not recommended to manually banter with permissions. Any changes will affect how users operate the system. Permission changes should be commonly agreed-upon decisions by the research collective.
Do I Have to Re-Login to View a VM Shared With Me?
No.
Use re-login as the last resort. A better way to view a VM shared with you is to follow the steps below.
- Go to the Virtual Machines icon in the top left taskbar.
- Click the Virtual Machines Table Overview section on the top left panel.
- In the top left center panel, click the Refresh button to refresh the VM list.
Use the Sync User Permissions option to reduce friction between VM owners and their VM permissions.
What Actions Can I Perform in a VM Configuration Based on my User Role in VM?
| Actions in VM | Required User Role the VM |
|---|---|
| Create | Owner/Manager |
| Edit | Owner/Manager |
| Change Profile Permissions | Manager |
| Start RDP Connection | User |
| Perform File & SFTP Transfer | User |
| Open Terminal | User |
| Explore Files | User |
Why I Cannot Open an RDP Connection of a Windows VM from my Mac?
Mac users must download Microsoft Desktop to be able to open an RDP connection in a Windows VM.
What Happens when I Move a Tagged File by a Project into a Differently Tagged VM?
If a file is tagged by a lesser project than that of the virtual machine, it can be moved into the virtual machine. As a result, the file's project will now tag the virtual machine.
What is the Purpose of Persistent Drive Slots in VMs?
When creating a new Virtual Machine, drive slots can be selected for storage distribution.
What are the Context Menus in VMs?
Context menus allow the longer version of the toolbar from the top-right side to show up by right-clicking on files. This function applies globally in tiCrypt.
Are Projects in VMs Access-Controlled or Cryptographically Encrypted?
Projects are access-controlled by admins and encrypted using AES-256 keys. As a result, admins and users require mutual collaboration to make the VM operations functional. Project tagging can prevent access to a VM, no matter your user role.
Inactive VMs will automatically shut down as part of server resource management practices (this setting may be adjusted).
What are the Virtual Machine Applicaations?
The VM Applications section in tiCrypt enables the use of tools and applications within virtual machines to help research groups accomplish specific tasks.