Skip to content

katvio/fractum

Repository files navigation

Fractum

Split any sensitive file into encrypted shares and reconstruct it only when enough shares are pooled → fully offline, no cloud, no single point of failure.

Designed for long-term cold storage of critical secrets: recovery credentials, exports of database & password managers, family photos, legal documents, crypto seed phrases.

Fractum splits a file into N encrypted shares, K of which reconstruct it

When to use it:

  • Emergency recovery creds (admin passwords, break-glass access)
  • Backup encryption master keys
  • Root CA / PKI private keys
  • Legal & financial documents (wills, contracts, tax records)
  • Cryptocurrency (seed phrases, private keys, hardware wallet backups)
  • Family photos

Why distributed?

  • Fewer than K shares reveal nothing: information-theoretic security (same as Trezor SLIP-39, ICANN DNSSEC ceremonies)
  • No single point of failure: distribute shares across people, locations, media. No $5 Wrench Attack
  • Works completely offline in air-gapped environments

How it works

Fractum encrypts your file with AES-256-GCM, then splits that key into N shares via Shamir's Secret Sharing. Any K shares reconstruct the key and decrypt the file; fewer than K learn nothing. No novel cryptography → only battle-tested primitives.

📚 Full documentation


Quick start — Docker (recommended)

Docker is the recommended way to run Fractum. The --network=none flag guarantees the container cannot exfiltrate your secrets over the network.

📚 Complete Docker guide

Setup:

git clone https://github.com/katvio/fractum.git
cd fractum && git checkout tags/v1.4.0
mkdir -p data shares
docker build -t fractum-secure .

Encrypt:

docker run --rm -it \
  --network=none \
  -v "$(pwd)/data:/data" \
  -v "$(pwd)/shares:/app/shares" \
  fractum-secure encrypt /data/passwords-export.csv \
  --threshold 3 --shares 5 --label "bitwarden-backup"

Fractum splits a file into N encrypted shares, K of which reconstruct it

Decrypt:

docker run --rm -it \
  --network=none \
  -v "$(pwd)/data:/data" \
  -v "$(pwd)/shares:/app/shares" \
  fractum-secure decrypt /data/passwords-export.csv.enc \
  --shares-dir /app/shares

Decrypting with 3 of 5 shares to reconstruct passwords-export.csv

📚 All CLI options · Decrypting guide · Manual install


Commands

Inside the container (or after a manual install), the binary is fractum. Prefix with docker run --rm -it --network=none -v "$(pwd)/data:/data" -v "$(pwd)/shares:/app/shares" fractum-secure to run any of these in Docker.

fractum -i                  # interactive mode — guided menu, no flags needed
fractum --version           # print the version

# Encrypt: split FILE into N shares, K of which are needed to recover it
fractum encrypt FILE -t <threshold> -n <shares> [OPTIONS]
  -t, --threshold <int>      shares required to reconstruct (required)
  -n, --shares <int>         total shares to generate (required)
  -l, --label <str>          label identifying the share set (default: filename)
  -e, --existing-shares DIR  reuse an existing share set instead of generating a new key
  --full-metadata            embed label/total_shares/share_set_id in shares (less private, eases debugging)
  -b, --bundle-encrypted     also copy the .enc file into every share ZIP (default: .enc stays out of the ZIPs)
  -v, --verbose               verbose output

# Decrypt: reconstruct FILE.enc from K-of-N shares
fractum decrypt FILE.enc [OPTIONS]
  -s, --shares-dir DIR       directory with share .txt files and/or share ZIPs
  -m, --manual-shares        type share index/value pairs by hand instead of reading files
  -v, --verbose               verbose output

📚 All CLI options · Decrypting guide · Manual install


Security

🔍 Security Architecture · 🛡️ Security Best Practices


Contributing

Submit a pull request or open an issue.

📚 Contributing Guide

License

Fractum is licensed under a Custom Proprietary Software License that permits personal, non-commercial use. Commercial use is not permitted.

📄 View Full License

About

A portable secure file encryption tool that allows you to encrypt files and split them into multiple shares, with the ability to decrypt using only a subset of these shares.

Topics

Resources

License

Stars

Watchers

Forks

Contributors

Languages