Secure Processing with Virtual Machines

While the tiCrypt Vault is designed for secure file storage and sharing, tiCrypt Virtual Machines are built for secure data processing. Together, they form a controlled, end-to-end encrypted environment for organizations handling sensitive workloads, such as Controlled Unclassified Information (CUI).

In this demo, we walk through the creation of a Linux virtual machine, demonstrate encrypted disk attachment, and show how secure remote access and file transfer are handled within the tiCrypt architecture.

Encrypted Drive Creation and Team Allocation

The process begins with creating a drive. Drives are encrypted volumes that store data for virtual machines. When creating a drive, administrators assign it to a team, ensuring that storage usage is properly allocated and tracked for resource management and compliance visibility.

Newly created drives are not automatically attached or shared. They remain isolated until explicitly connected to a virtual machine, reinforcing strict control over data access.

Virtual Machine Provisioning and Isolation

Virtual machines are created by defining a name, selecting a team for CPU and memory allocation, and choosing an operating system. Both Linux and Windows environments are supported.

By default, virtual machines are locked down. Only the owner can connect to them, and all unnecessary ports remain closed. This hardened configuration reduces attack surface and supports zero-trust operational models.

Encrypted Disk Attachment and Key Exchange

Each drive is an encrypted volume with its own decryption key. When attaching a drive to a virtual machine, the user must authenticate in order to securely handle the disk key.

The disk key is stored within the user’s encrypted keychain. During attachment, the disk key is decrypted locally, then re-encrypted using the virtual machine’s public key. This allows the virtual machine to access the drive without exposing sensitive key material to the backend server. The server stores encrypted key material but cannot decrypt it.

Secure RDP and Encrypted Communication

Virtual machines can be accessed through Remote Desktop (RDP) or secure terminal sessions. Communication occurs through an authenticated, encrypted tunnel between the user and the virtual machine.

Even though login credentials may appear visible during setup, the communication channel is protected using strong cryptographic authentication mechanisms, including Diffie-Hellman key exchange. The virtual machine listens only to the authenticated user session, preventing unauthorized interception or lateral access.

Controlled File Transfer Between Vault and VM

The interface enables drag-and-drop file transfer between the Vault and the virtual machine disk. Users can move documents into the processing environment or return processed outputs back to secure storage.

For sensitive environments, project-based policies can restrict whether data is allowed to move between storage and compute layers. This ensures that CUI handling requirements are enforced and that sensitive data does not leave controlled environments unintentionally.

Terminal Access and Parallel Sessions

In addition to graphical access, users can open multiple secure terminal sessions to the same virtual machine. There is no practical limit on concurrent terminals, enabling advanced workflows and parallel operations.

This flexibility supports developers, engineers, and analysts who require command-line environments while maintaining the same encrypted and isolated security architecture.

End-to-End Encrypted Compute Environment

The workflow demonstrated (creating a drive, attaching it to a virtual machine, and securely accessing the environment) reflects tiCrypt’s integrated design philosophy.

By combining encrypted storage, hardened virtual machines, authenticated tunnels, and project-based access control, tiCrypt provides a secure enclave for processing sensitive data without exposing underlying infrastructure.