Trustee Guide
This guide is for electoral committee members serving as trustees the people responsible for holding the cryptographic keys that protect election secrecy. If you have been asked to act as a trustee for an Electobox election, this guide explains everything you need to know: what the role involves, what you will be asked to do, when you will need to act, and how to keep your key safe.
Being a trustee is a meaningful responsibility. The security of the entire election depends on trustees doing their part correctly and keeping their private key files safe. The good news is that the technical steps are straightforward and handled entirely in your browser no software installation, no command lines, no technical expertise required. What matters most is that you act promptly when you receive your emails and that you store your key file carefully.
Your role
Electobox uses a cryptographic technique called threshold encryption to protect ballot secrecy. When the election opens, every vote cast is encrypted using a key that has been mathematically split among all the trustees. No single trustee holds the complete key and critically, Electobox itself does not hold it either. This means that no individual person and no single system can access the raw vote data alone.
The only way to decrypt the results is for every trustee to contribute their individual portion of the key simultaneously. This design ensures that the vote remains secret and tamper-proof throughout the election period. Not even the election administrators can see how anyone voted while the election is running. When voting closes and it is time to produce the official tally, all trustees must act together to unlock the results.
This split-key approach is a deliberate security property, not a limitation of the system. It means the privacy of every voter's ballot is protected by multiple independent parties rather than by trusting any one person or organization.
What you'll do
Your involvement as a trustee happens at two specific points in the election timeline, and both are triggered by emails you will receive automatically. You do not need to log in to any dashboard or check on the election's progress Electobox will contact you when your action is needed.
| Task | When | What it involves |
|---|---|---|
| Generate your keys | Before voting begins | Your browser generates a cryptographic key pair. You download and store your private key, then verify you can access it. |
| Decrypt votes | After voting closes | You upload your saved private key file and your browser uses it to process the encrypted ballots, contributing your share of the decryption. |
Both tasks are completed entirely within your browser using a secure link sent to your email. The links are one-time use and time-limited, so act on them when you receive them rather than setting them aside for later. Key generation links are valid for 7 days. Decryption links are valid for 14 days.
If a link expires before you use it, contact your election administrator they can issue you a new one.
What you need
You do not need to install any software, create an account, or have any technical background. Everything happens through a standard web browser. However, a few things will make the process much smoother:
- A desktop or laptop computer — Tablets and phones are not recommended. The key generation and decryption processes involve file downloads and uploads that work most reliably on a full computer.
- Google Chrome — Strongly recommended. The trustee workflow is built and tested for Chrome. Other modern browsers may work, but if you encounter any issues, switching to Chrome will resolve most of them.
- A USB drive — For backing up your private key file after generating it. This is not strictly required, but it is strongly advised. Storing your key in only one place on your laptop is a risk. Laptops get lost, stolen, or wiped. A USB drive kept somewhere safe gives you a backup.
- A stable internet connection — Particularly important during the decryption step, where your browser will be processing and uploading encrypted ballot data. A dropped connection mid-decryption may require you to restart that ballot.
Protecting your key
After you complete the key generation step, you will have a file on your computer called trustee-key.json. This file is your private key — the single piece of data that enables your contribution to the decryption. There is no copy of it anywhere else. Electobox does not store it. Your administrator does not have it. Nobody can recreate it if it is lost.
Treat this file the way you would treat a physical key to a secure vault. Some practical guidance:
Store it in at least two separate locations. The moment you download it, save a copy to your computer in a folder you will remember, and immediately copy it to a USB drive. Keep the USB drive somewhere physically secure a desk drawer at home, a locked cabinet, or anywhere you know it will be safe and accessible when you need it.
Do not share it with anyone. Your private key is personal to you. Sharing it would allow someone else to act on your behalf in the decryption, which undermines the security model. Even if someone you trust asks to help with the decryption process, they should not need your key file they have their own.
Do not email it to yourself unencrypted. If you use email to transfer the file between devices, anyone who can access your email could intercept it. If you need to move the file, use a USB drive or an encrypted file transfer service.
Do not upload it to public cloud storage. Services like Google Drive, Dropbox, or iCloud are convenient but not appropriate for a cryptographic private key. If those services are ever compromised, your key would be exposed.
Remember where you put it. This sounds obvious, but the most common issue trustees encounter is simply not being able to find the file when the decryption email arrives weeks after key generation. Name the folder something memorable and consider leaving yourself a note about where the USB backup is stored.
If your private key file is permanently lost, the election results cannot be recovered. This is a deliberate security property of the system it is the same property that prevents anyone from accessing results without trustee participation. Contact your election administrator immediately if you believe your key has been lost.
Questions about the process or your responsibilities? Contact your election administrator.