VM Configurations
What are the VM Configurations in Management?
The VM Configurations display all existing Virtual Machines in the system.
How can I be More Efficient When I Manage Larger Virtual Machines?
Large virtual machines may have a large number of users depending on the project.
User profiles are an effective management tool in tiCrypt, allowing you to quickly increase user access and regulate how users behave in a virtual machine network.
Instead of manually setting permissions for each user in a large VM, you can avoid human error using the following workflow.
Ensure you select the appropriate profile when adding users to your VM.
Do VMs Automatically Restart After I Make Some Changes?
No.
VMs never automatically restart. Only the drive owner can restart the VM.
What is the Mechanism Difference between Virtual Machines and Drives?
Virtual Machines are always in lock-down mode, while drives are always cryptographic.
What are the Common Elements between VM Management and VM Section?
The Basic VM Information
| . Management > VM Configurations Table | . Virtual Machines > VMs Overview Table |
|---|---|
| The team name in the Team column. | The Team name under VM information card. |
| The project tag in the Project column. | The Project tag under VM information card. |
| The VM owner in the Owner column. | The VM Owner name and role under VM information card. |
| . Management > Running VMs Table | . Virtual Machines > VMs Overview Table |
|---|---|
| The VM started on date in Started column. | The Started On date under VM information card. |
| The VM total runtime in Runtime column. | The Runtime time under VM information card. |
| The IP and Mac address in the IP Adress and MAC Adress columns. | The IP/MAC Adress string under VM information card. |
The VM States
| . Management > VM Configurations Table | . Virtual Machines > VMs Overview Table |
|---|---|
| The Running dot in State column. | The Running dot in the left panel. |
| The Stopped dot in State column. | The Stopped dot in the left panel. |
| The Suspended dot in State column. | The Disconnected from VM controller dot in the left panel. |
| The Starting dot in State column. | The Starting dot in the left panel. |
| The Stopping dot in State column. | The Stopping dot in the left panel. |
The VM Quotas
| . Management > Running VMs Table | . Virtual Machines > VMs Overview Table |
|---|---|
| The cores integer values in Cores column. | The Core usage integer values under VM information card. |
| The memory integer values in Memory column. | The Memory usage integer values under VM information card. |
The Debug Mode
| . Management > Running VMs Table | . Virtual Machines > VMs Overview Table |
|---|---|
| The Debug symbol in Debug column. | The Debug symbol in the left panel. |
What is the Difference Between tiCrypt VMs and Traditional Cloud Providers?
There are several key differences that distinguish tiCrypt VMs from basic cloud providers and others that rely solely on ACLs without cryptographic isolation.
Secure Virtual Machines
tiCrypt enables secure computation through the use of secure virtual machines, employing mechanisms fundamentally different from existing cloud solutions. Notably:
- Securing at Start-Up: The VM controller secures the VM during the start-up sequence by changing all passwords and blocking all ports except port 22.
- Accessing VMs: For security reasons, tiCrypt virtual machines cannot be accessed using traditional methods. Direct connections to the VM console, SSH logins, or other remote server technologies are not allowed, as admins could control these and potentially be impersonated by attackers. The only means of communication is through a secure channel that only the VM owner can access via a proxy within tiCrypt.
When a VM starts, it receives the owner's public key.
During secure channel setup, the VM and the user co-authenticate using their respective public and private keys. A secret channel key is negotiated (using the Diffie-Hellman protocol) and used for all communication.
Encrypted Drives: For efficient computation, the VM requires fast, secure storage, provided as encrypted drives. With encrypted drives, all application input, output, and intermediate results are protected by cryptography. Drive encryption keys are generated and managed similarly to file keys, and are transmitted to the VM over the encrypted user-VM channel during start-up. This ensures that only the user controls the drive encryption; even admins cannot access the data.
Access to the Data Store: VMs can access the main data store through secure sub-sessions created by the client, with file keys passed through the encrypted user-VM channel.
Secure TLS-Based Tunnels: Using the user-VM secure channel, the VM controller can establish a proprietary FIPS-180 compliant TLS tunnel between the user's computer and the VM. This tunnel uses only public-key-based authentication and temporary private keys. All traffic between the user's computer and the VM is sent through this tunnel, preventing snooping by any other party (including system administrators). This method is even more restrictive than SSH, as it does not allow any commands to be run on the remote machine.
Restricted Outbound Internet Access: VMs have severely restricted internet access; only the tiCrypt backend and licensing servers can be accessed directly. This protects against accidental or intentional information leaks. Even if a VM is compromised, the only way to leak information is through the main vault, which is audited.
Principles of Concern:
- The most important principle: VMs are owned by the user—a dedicated owner—not by admins. Compromising an admin does not grant attackers implicit access to system resources.
- Authenticated network access does not rely on weak passwords, but on a highly controlled public key infrastructure.
- No open ports on the VM, blocking all access by default.
How is a Virtual Machine Usable if No Ports are Opened?
By blocking all ports, the VM is essentially isolated, requiring a special mechanism for communication. This is achieved by binding the VM with a public key, which is further linked to the user's public key. tiCrypt enables communication between the front end and the VM by exchanging secrets using Diffie-Hellman protocols and digital signatures for co-authentication. This process establishes a symmetric encryption key for ongoing communication, resulting in a double-encrypted channel. tiCrypt uses encrypted web sockets, with data encrypted by the symmetric key. Rest encryption is achieved with the derived secret, and transport encryption is achieved with the Diffie-Hellman exchanged secret. The backend is involved only during the initial connection; after that, it does not participate in communication between the front end and the VM. This design prevents snooping by both external actors and infrastructure administrators.
The mechanism is completely passwordless, but some operating systems may require passwords. In such cases, passwords are programmatically generated, complex, ephemeral, and managed automatically.
Boot images are immutable and reset automatically on boot, providing an extra layer of security and eliminating any persistent internal risk.