Overview

Key Escrow is tiCrypt's (tiCrypt is a software that operates within Citadel) way of protecting the recovery process of lost keys in the system. The user's private key is cryptographically split into three parts, and parts of it are sent to different escrow group key users for recovery. In tiCrypt, escrow users are separated into groups; each group receives only one part of the escrowed key. This is done to avoid collusion between users of the same group.

NOTE: If you lost your Citadel keys, please contact your designated sub-administrator for the necessary assistance in restoring your keys. They will provide the appropriate support to help you regain access promptly and securely.

Citadel Account Recovery

An important concept in the tiCrypt architecture is the idea of role separation of duties. Each role plays a unique part in the system. Roles of Key Escrow functions are described below:

Escrow Groups

At Princeton, three escrow groups are created - Escrow Group 1, Escrow Group 2, and Escrow Group 3. The escrow group members are responsible for recovering the lost keys of Citadel users.

Escrow Users

Escrow users are responsible for recovering lost private keys for regular Citadel users. These users are outside of the system. The table below contains the three groups of escrow users. Escrow users are selected one user from each group. 

Escrow Group 1	Escrow Group 2	Escrow Group 3
Jed Marsh	Francis Kayiwa	Christopher Tengi
Elizabeth Adams	Elizabeth Holtz	Steve Niedzwiecki
Curt Hillegas	David Sherry	Stephanie Ayers

Site Key Administrator

The Site Key Administrator is used for offline certification of escrow groups and escrow users. The site Key Administrator is outside of the system. Robert Knight (knight@princeton.edu) is a Site Key Administrator for Citadel at Princeton. 

---

Escrow User

User Registration

• If accessing Citadel for the first time, please follow the tiCrypt connect installation instructions.

Escrow User Creation Process

The workflow process for adding the Escrow User is as follows:

1. If you haven't done so already, install the tiCrypt connector <Version Number> by following the instructions in this article. 
2. Register to become escrow users by selecting the drop “Escrow” drop-down option on the Citadel login page.
   
3. Click “Create Escrow” (This action will generate a new keypair for you).
    
4. The escrow Users will be prompted to register their account by providing basic user account information and indicating which Escrow Group they will belong to.
   

   NOTE: If you are unsure of which Escrow Group you should register for please contact a system administrator

   
   

Escrow User Login

1. On your computer navigate totiCrypt Connect application <Version Number>. 
2. Select Escrow on the main login page.
   
3. Upload your escrow key on the webpage (drag and drop works as well)
4. Enter the password associated with the key escrow key.
5. Click Login.

Recovering User Keys as Escrow User

1. The Administrator will select three Escrow user members, one escrow user from each group, and designate the Escrow User who will restore the private key. Each Escrow User will share the key parts with that user.
2. Launch tiCrypt Connect Application on your computer. If you don't have it loaded, follow the instructions in this article to install it on your computer.
3. Update to the latest software version by clicking Update when prompted.
   

   NOTE: It is essential to run on the newest software version.

4. Click the play icon for the Citadel Deployment to launch the main login page.
5. Select the dropdown menu from the main login page to change the Login from tiCrypt to Escrow.
6. Upload the Escrow User private key, enter the password, and click Login. Make sure to use the escrow user private key as it differs from the Citadel private key.
7. In the list of users, select the user for which to recover their key.
   
8. Share the critical parts with the designated Escrow User by clicking the share button next to their name.
   
9. Once the designated Escrow User has all three key parts, the 'Recover Key' button becomes clickable.
    
10. When prompted, the Designated Escrow user clicks Recover Key and creates a new password for the recovered private key.
11. After setting the password, the recovered private key will automatically download to the designated Escrow User's local workstation.
12. The private key and password can now be shared separately and securely with the user (if account recovery was requested). Make sure to use securesend.princeton.edu to share the key and temporary password. 
    

    NOTE: The account is still protected by NetID two-factor authentication. If account recovery were not made on behalf of the user, NetID credentials would need to be shared for the administration to gain account access.

---

Site Key Administrator

Site Key Admin Creation Process

System Admins and Sub-Admins do not have access to the site key interface, nor are they able to digitally sign certificates. The site key must be countersigned by the Tera Insights (author of tiCrypt software) key and placed in the correct configuration file to use the site key and certificate interface. This site key is used to sign certificates that will get passed into tiCrypt. The site key interface is an offline tool that enforces digital signatures and prevents these signatures from being forged.

1. Launch tiCrypt Connect 3.0 application on your computer.
   
2. Navigate to the site key creation page.
3. Select the escrow user link on the main tiCrypt login page.
4. Select Create site key on the escrow login page.
   

   NOTE: The link will redirect to a registration page similar to the tiCrypt user registration page.

5. On this page, the public-private site key pair is created, a password to encrypt the private key is required, and terms are listed that must be accepted.
6. Save the Private key. This private key is not recoverable after leaving the registration page and should be stored accordingly. Acceptable locations are LastPass, University-supported Google Drive, or OneDrive folders.
7. To use this site key, the public part of the key must be digitally signed by TeraInsights and then stored on the server. This operation is only performed once. (during the system's initial setup).

   IMPORTANT: Until the public key is countersigned by Tera Insights and placed in the system, the site key cannot be used to sign any certificates.

Upload Unsigned Certificates

1. Click on the Import Certificates button in the top center of the interface OR drag and drop certificate(s) on the interface.
   
2. Select Escrow User request certificate to upload and sign.
   

Sign Certificates

1. Select the certificate(s) you want to sign by clicking on the associated checkbox.
2. Enter the site key password to decrypt the site key in the top right panel.
3. Select sign to complete the process.
   

   NOTE: All signed certificates appear in the Signed Certificates panel after signing.

Edit Certificates

1. Select a certificate you want to edit.
2. Click on the edit option and change the information associated with the certificate.

Export Certificates

1. In the Signed Certificated panel, click on the export button.
   

   NOTE: You can edit the name of the certificates before exporting them.

2. This will download all of the signed certificates to your computer. From here, please share any of the certificates as needed.

Escrow Groups

The Site Key Administrator can create or edit escrow groups. The workflow process for creating the Escrow Group is as follows:

1. The Site Key Administrator generates escrow group certificates.
2. The Site Key Administrator signs the escrow group certificates with the site key.
3. The Site key Administrator emails the signed escrow group certificate to a member of the System Admin group.
4. A member of the System Admin group adds them to Citadel using the certificate Management Tools.

---

Citadel Administrator

IMPORTANT NOTE: Please set “active and escrow on next login” for all new users upon activation to have the chance to escrow their keys later.

Escrow User Creation Process

The workflow process for adding the Escrow user is as follows:

1. Ask the user to Register to become escrow users by selecting the drop "Escrow" drop-down option on the Citadel login page.
   From there, the Escrow User will click "Register."
    
2. The Escrow User will be prompted to register their account by providing basic user account information and indicating which Escrow Group they will belong to.
   

   NOTE: Please instruct the Escrow User with the Escrow Group Name they should join.

3. Next, the user will be prompted to download the private escrow key and the unsigned certificate.
   
   

   NOTE: A notification asking to download multiple files will appear. The Escrow User should click allow for this instance.

4. Instruct the Escrow User to email their unsigned certificate to the Site Key Administrator. The file name looks like this:

   Create-escrow-user (`USER NAME’’).csr.json  
   
   Campus Units (?id=campus_units) My Tickets (?id=tickets) Contact Us (?id=contact us) 
   Service changes (?id=outages) 
   My bookmarks(?id=my bookmarks) 
   My Account (?id=user_profile& sys_id=5136503cc611227c0183e96598c4f706) 

5. The Site Key Administrator signs the request and sends the newly signed certificate to System Administrator.
6. System Administrator adds signed escrow user certificate to Citadel.

Upload Signed Escrow Certificate

Escrowing Users

Escrow User Deletion Process

The workflow process for deleting Escrow User is as follows:

1. A Citadel Admin navigates to Escrow Users within the Management tab of Citadel.
2. The Citadel Admin clicks the red “remove” icon for the Escrow User you wish to issue a deletion request.
    
3. The deletion request certificate will download onto the local machine.
4. Email the certificate to the Site Key Administrator for signing.
   

   NOTE: Signing the certificate follows the same steps as Escrow User certificate signing.

5. Once the Site Key Administrator signs and emails back the deletion request, the Citadel Admin will place the request into Citadel via the ‘Signed Escrow Actions’ tab.