STEP 01
Gather your asset
Seed phrases, root CA keys, password manager exports, emergency credentials.
v1.4.0 · Apache 2.0 licensed
Long-term cold store of critical files
Fractum splits sensitive files into encrypted shares with AES-256-GCM and Shamir's Secret Sharing. Any K shares reconstruct the secret; fewer than K reveal nothing. Fully offline, no single point of failure.
● 100% open source
● Established cryptographic primitives
● Offline workflow
my_secrets.txt
FRACTUM
3 of 5
- share_1.zip
- share_2.zip
- share_3.zip
- share_4.zip
- share_5.zip
Store shares where you prefer:
- USB key
- Printed on paper
- Safe
- Password manager
- etc.
The problem
Secrets stored in one place are one accident away from gone.
Most people store critical secrets in single points of failure: hardware wallets, password managers, or encrypted files hidden in one location. When these fail, get stolen, are destroyed in a fire, or you forget where you hid them, the asset can be lost forever.
The Fractum approach
Split trust across shares, not across hope.
Fractum eliminates single points of failure through Shamir's Secret Sharing. Your secrets are split into shares where any K shares can reconstruct the original, but K-1 shares reveal nothing about it.
How it works
Three steps, fully offline, no cloud round-trip.
STEP 02
Run Fractum
AES-256-GCM encrypts the file, then the key is split via Shamir's Secret Sharing into N shares with threshold K.
STEP 03
Distribute your shares
Store shares across people, locations, or media. Recovery stays portable, offline, and self-contained.
| Cryptographic standard | Used for | Also used in |
|---|---|---|
| AES-256-GCM | Authenticated file encryption | Signal, AWS, Google Cloud, Apple |
| Shamir's Secret Sharing | Splitting the key into K-of-N shares | SLIP-39-style custody models, DNSSEC ceremonies |
Why Fractum for cold storage
Built for long-term custody, recovery planning, and offline operations.
High-value use cases
Crypto wallet seed phrases, root CA keys, password manager exports, legal and financial documents.
No single point of failure
Fire, theft, or a lost device cannot compromise a properly distributed share set.
Conservative cryptography
No custom cryptographic primitive. Read the architecture.
Air-gapped security
Use --network=none in Docker when your threat model requires network isolation.
Production-oriented
Non-root containers, reproducible builds, minimal dependencies, cross-platform workflows.
Built for developers
CLI-first, scriptable, open source, and documented end to end.
Security standards
Established primitives, transparent implementation, and explicit limitations.
✓ AES-256-GCM for authenticated file encryption
✓ Threshold sharing: K-of-N recovery model
✓ Open source for review and verification
✓ Best-effort cleanup for mutable key buffers
No formal mathematical verification has been performed and side-channel attacks are not explicitly mitigated. See full limitations.
Get started in minutes
Choose the installation path that matches your threat model.
Docker recommended
Complete network isolation. Best for production and security-conscious operations.
Manual installation
Full control for developers. Cross-platform with automation scripts.