Security, compliance, and operational clarity

Frequently Asked Questions

General Overview

Usage and ownership

Do I need a supercomputer to benefit from tiCrypt?

No. tiCrypt runs on standard compute environments. While higher core counts improve throughput, the system is designed to operate efficiently on conventional infrastructure.

Does Tera Insights manage or access our systems?

No. Tera Insights personnel do not have access to customer systems. tiCrypt is deployed and operated entirely under customer control.

Do you sell tiCrypt to customers outside the US & Canada?

No. For export-control and compliance reasons, tiCrypt is sold only to customers in the United States and Canada, and must be installed on servers located within those countries.

Security Architecture

System encryption, access and security

Does tiCrypt operate in a fully isolated, air-gapped environment?

While it is not inherently air-gapped, it supports strong logical isolation, end-to-end encryption, and strict access control to protect CUI.

How are tiCrypt VMs different than traditional VMs?

  • Secured at start-up: VM controller changes all password and blocks all ports except port 22.
  • No VM access: direct connections, SSH logins, or other remote servers do not work, access to VM is via a tiCrypt proxy only.
  • Encrypted drives: data is always encrypted, away from admins.
  • FIPS-180 compliant TLS tunnels: traffic moves through a public-key-based authentication tunnel, more restrictive than SSH.
  • Restricted internet access: protection against accidental or intentional information leaks.

What is the difference between default-open and default-shut security models?

A default-open security model allows access unless it is explicitly restricted.

  • Relies on firewalls, perimeter defenses, and access control lists (ACLs).
  • Common in traditional solutions and architectures.

A default-shut security model denies access unless it is explicitly allowed.

  • Uses public-key cryptography (PKC) and end-to-end encryption.
  • Built within the tiCrypt protection layer.

How does a user recover their lost private key in tiCrypt?

Users can recover their lost private keys through a process called escrow (see whitepaper). Escrowing is slow and traditional to prevent social engineering.

If there are no passwords, how do users log into tiCrypt?

Users do provide a password to attach their private key to tiCrypt. However, authentication does not rely on the password itself. Instead, the system validates the user by verifying the hash of the digital signature of their private key, similar to how blockchain systems like Bitcoin confirm ownership.

Support and Lifecycle

Support and updates.

Is tiCrypt compatible with Nutanix?

tiCrypt currently supports Nutanix, but that support is scheduled to be discontinued in 2026. tiCrypt can run on bare metal with RedHat Enterprise, CentOS, Rocky, or Springdale 7+ installed.

Does tiCrypt support MFA (Multi-Factor-Authentication)?

Yes. You can add MFA on top of the current security layout for enhanced security.

Do you have any additional information?

Below are several links to deployments from a few of our customers, including environments such as Citadel, Granite and ResVault, along with supporting materials that discuss architectures aligned with tiCrypt.