Fractum is designed for organizations and individuals who need to securely store critical information. It provides enterprise-grade cold storage with mathematical guarantees, eliminating single points of failure through distributed secret sharing.
It is a fully offline, portable CLI for Shamir's Secret Sharing (SSS) combined with AES-256-GCM file encryption. Split secrets (passwords, SSH keys, etc.) into shares and reconstruct them laterβsecurely, cross-platform, with minimal setup. Works with any file type without restrictions (documents, images, zip, databases, etc.).
πΌ High-Value Use Cases:
- Cryptocurrency wallet protection: Seed phrases, private keys, hardware wallet backups
- Backup encryption master keys: Protect your backup infrastructure encryption keys
- Root CA private keys: Certificate authority and PKI infrastructure protection
- Emergency recovery credentials: Admin passwords, break-glass access credentials
- Password manager exports: LastPass, Bitwarden, KeePass backup files
- Legal & financial documents: Wills, contracts, tax records, insurance papers
β‘οΈ Distributed Architecture Benefits:
- Bus Factor Protection: Write a Will and instructions for family members - they can pool shares to recover your assets
- Theft/Loss Protection: House fire, kidnapping/hostage situations, or lost hardware wallet - shares remain secure because you cannot be forced to access distant physical locations immediately
- Geographic distribution: Store shares across multiple locations (family, friends, safe deposit boxes)
- No single point of failure: Distributed trust across shares with threshold cryptography
- Zero-knowledge property: K-1 shares reveal absolutely nothing about your secrets
π‘οΈ Enterprise Security Features:
- Works completely offline: perfect for air-gapped environments
- Memory protection: Secure deletion and swap prevention
- FIPS 140-2 compatible: Uses industry-standard algorithms
- Container-native: Docker with security hardening and non-root execution
- The Docker way (recommended usage)
- How it works
- Security Architecture
- Complete Security Architecture Details
- Manual installation using venv
- Contributing
- License
- Complete Documentation
- Security Best Practices
Fractum can run in a completely network-isolated Docker container. The primary benefit of this approach is that the --network=none flag provides users with confidence that the Fractum code cannot exfiltrate their secrets through any network connection. Additionally, this Docker setup can work inside a TEE using tools like Enclaver.io for even more advanced security scenarios.
π Complete Docker Usage Guide
- Clone the repository
git clone https://github.com/katvio/fractum.git
cd fractum && git checkout tags/v1.2.0
- Create data folders
mkdir -p data
- Build the Docker image
docker build -t fractum-secure .
- Place the file to be encrypted in the data folder
mv /path/to/your/passwords-export.csv data/
This step is essential as the Docker container can only access files within the mounted data directory
docker run --rm -it \
--network=none \
-v "$(pwd)/data:/data" \
-v "$(pwd)/shares:/app/shares" \
fractum-secure encrypt /data/passwords-export.csv \
--threshold 3 \
--shares 5 \
--label "bitwarden-backup" \
-v
Expected output:
Using label: bitwarden-backup
Using existing shares directory
Generated share set ID: 708c547f308b39a9
Generated shares: 5
Encrypted file: /data/passwords-export.csv.enc
Created archive: /app/shares/share_1.zip
Created archive: /app/shares/share_2.zip
Created archive: /app/shares/share_3.zip
Created archive: /app/shares/share_4.zip
Created archive: /app/shares/share_5.zip
docker run --rm -it \
--network=none \
-v "$(pwd)/data:/data" \
-v "$(pwd)/shares:/app/shares" \
fractum-secure decrypt /data/passwords-export.csv.enc \
--shares-dir /app/shares
> File successfully decrypted: /data/passwords-export.csv
For more detailed Docker usage instructions and security considerations, see our Docker Usage Guide.
Fractum transforms your sensitive files into distributed, encrypted shares using mathematically proven cryptographic techniques. Here's the technical process:
π Complete Documentation | π Security Architecture Details
Input:
- Your sensitive file (any type: documents, images, databases, etc.)
- Optional: Existing shares for key reuse
Output:
- Encrypted file with
.encextension - Multiple self-contained share archives (ZIP files)
- Each share contains: share data, encrypted file, complete Fractum application, and bootstrap scripts
π Learn more: Encrypting Files Guide | Decrypting Files Guide | Security Best Practices
Fractum's security architecture combines AES-256-GCM encryption with Shamir's Secret Sharing to provide information-theoretic security for long-term cold storage.
π Complete Security Architecture Details
Core Security Features:
- AES-256-GCM: Authenticated encryption with 256-bit keys and unique nonces
- Threshold cryptography: Configurable K-of-N security model using finite field arithmetic
- Memory protection: Automatic clearing with secure deletion and swap prevention
- Air-gapped design: No network dependencies during cryptographic operations
- Multi-layer integrity: GCM authentication tags + SHA-256 hashing + metadata validation
Standards Compliance:
- β FIPS 140-2 compatible algorithms
- β NIST recommended key sizes
- β Information-theoretic security guarantees
If you want to contribute submit a GitHub pull request or open an issue. Thank you! Any contribution is better than no contribution :)
π Contributing Guide | π Security Best Practices
Fractum is licensed under a Custom Proprietary Software License that permits personal, non-commercial use. Commercial use is not permitted under this license.
π View Full License