Summary
tiCrypt enforces a user-controlled security model where access is cryptographically defined, not administratively assumed.
Even in the event of administrative account compromise, underlying data remains inaccessible. Administrative privileges do not grant visibility into user data. Compromised accounts can be revoked, and all activity can be traced through immutable audit logs.
Users
tiCrypt architecture is user-centered. By default, each user is assigned to a team, enabling resource allocation (e.g., compute, storage) and system access.
All user data resides in personal encrypted vaults. By default:
- No other user - including administrators - can access this data
- Data is only accessible through explicit user-initiated sharing
This establishes the user as the primary control boundary.
Groups
Groups enable controlled collaboration between users.
A group functions as an encrypted shared workspace accessible only to its members.
- Files placed in a group are automatically shared with group members
- Access is governed by group membership, permissions and public key cryptography
- The group creator defines access policies (view, download, edit)
This allows teams to collaborate without exposing data outside the defined boundary.
The group creator can decide who can view, download or edit anything in the group directory.
Projects
Projects introduce an additional layer of access control.
Users can assign a project tag to files or directories. Once tagged:
- Access requires project membership
- Files remain physically isolated under their respective owners unless specifically shared
- Visibility is not implied across users, even within the same project
This ensures that project-level organization does not override user-level isolation.
Umbrella Project with Groups
Multiple groups can be associated with a single project (“umbrella project”).
Access to data requires:
- Membership in the project
- Membership in the corresponding group
Even within the same project, access remains segmented by group boundaries via group membership access (which uses public key cryptography).
Umbrella Group with Projects
Projects can also be applied within groups.
When files in a group are project-tagged:
- Users must have both group membership and project membership
- Access is enforced at both levels simultaneously
This creates a dual-layer access model combining collaboration and segmentation.
Project Tagged Drives
Projects can extend beyond files to encrypted VM drives.
When a drive is tagged:
- Access requires project membership
- Data remains encrypted and isolated within the VM environment
This enables secure, project-scoped segmeneted environments.
Umbrella Group with Project Tagged Drives
Project-tagged drives can also exist within group contexts.
In this model:
- Drives, files, and directories may exist under the same group
- Access remains segmented by project membership
- Users cannot access each other’s data unless explicitly shared
This preserves isolation even in shared operational environments.
Conclusion
tiCrypt combines end-to-end encryption with layered access control to enforce strict data boundaries.
Users retain control over their data, while groups and projects enable structured collaboration without compromising isolation.
The result is a flexible system where security is enforced by architecture - not by administrative trust.