Docker Usage¶

For ultra-secure operations, Fractum can run in a completely network-isolated Docker container. The primary benefit of this approach is that the --network=none flag provides users with confidence that the Fractum code cannot exfiltrate their secrets through any network connection. Additionally, this Docker setup can work inside a TEE using tools like Enclaver.io for even more advanced security scenarios.

Setup¶

Clone the repository:

git clone https://github.com/katvio/fractum.git
cd fractum
git checkout tags/v1.2.0

Build the Docker image:
```
docker build -t fractum-secure .
```
Create data folders:
```
mkdir -p data
```
Place the file to be encrypted in the data folder:

This step is essential as the Docker container can only access files within the mounted data directory.

Linux/macOSWindows (PowerShell)

# Move a file to the data directory
mv /path/to/your/file.txt data/

# Or copy if you want to keep the original
cp /path/to/your/file.txt data/

# Move a file to the data directory
Move-Item "C:\path\to\your\file.txt" data\

# Or copy if you want to keep the original
Copy-Item "C:\path\to\your\file.txt" data\

Usage Examples¶

Encrypting a file¶

Linux/macOSWindows (PowerShell)

docker run --rm -it \
  --network=none \
  -v "$(pwd)/data:/data" \
  -v "$(pwd)/shares:/app/shares" \
  fractum-secure encrypt /data/YOUR_FILE \
  --threshold 3 \
  --shares 5 \
  --label "descriptive-name" \
  -v

Expected output:

Using label: descriptive-name
Using existing shares directory
Generated share set ID: 708c547f308b39a9
Generated shares: 5
Encrypted file: /data/YOUR_FILE.enc
Created archive: /app/shares/share_1.zip
Created archive: /app/shares/share_2.zip
Created archive: /app/shares/share_3.zip
Created archive: /app/shares/share_4.zip
Created archive: /app/shares/share_5.zip

docker run --rm -it `
  --network=none `
  -v "${PWD}\data:/data" `
  -v "${PWD}\shares:/app/shares" `
  fractum-secure encrypt /data/YOUR_FILE `
  --threshold 3 `
  --shares 5 `
  --label "descriptive-name" `
  -v

Expected output:

Using label: descriptive-name
Using existing shares directory
Generated share set ID: 708c547f308b39a9
Generated shares: 5
Encrypted file: /data/YOUR_FILE.enc
Created archive: /app/shares/share_1.zip
Created archive: /app/shares/share_2.zip
Created archive: /app/shares/share_3.zip
Created archive: /app/shares/share_4.zip
Created archive: /app/shares/share_5.zip

Decrypting a file¶

Linux/macOSWindows (PowerShell)

docker run --rm -it \
  --network=none \
  -v "$(pwd)/data:/data" \
  -v "$(pwd)/shares:/app/shares" \
  fractum-secure decrypt /data/YOUR_FILE.enc \
  --shares-dir /app/shares

docker run --rm -it `
  --network=none `
  -v "${PWD}\data:/data" `
  -v "${PWD}\shares:/app/shares" `
  fractum-secure decrypt /data/YOUR_FILE.enc `
  --shares-dir /app/shares

Security Benefits¶

The Docker approach provides several security benefits:

Complete network isolation: The --network=none flag prevents any network access
Non-root execution: Container runs as a non-privileged user
Minimal attack surface: Only necessary files are included in the container
Read-only code: Application code cannot be modified during execution
Ephemeral environment: Container is destroyed after each use with --rm

Understanding Docker Arguments¶

Argument	Purpose
`--rm`	Automatically remove the container when it exits
`-it`	Interactive mode with a terminal
`--network=none`	Completely isolate from all networks
`-v "$(pwd)/data:/data"`	Mount local data directory into container
`-v "$(pwd)/shares:/app/shares"`	Mount local shares directory into container

Troubleshooting¶

If you encounter issues with the Docker setup:

Ensure Docker is properly installed and running
Verify that your user has permissions to run Docker commands
Check that the data and shares directories exist and are accessible
Confirm that the file you want to encrypt is in the data directory