Skip to content

Encrypting Files

This guide covers how to encrypt files using Fractum, including configuration options and best practices.

Fractum Secret Sharing Diagram

Prerequisites

Before encrypting files, ensure you have:

  • Fractum properly installed (manually or using docker)
  • The file you want to encrypt ready
  • Decided on your threshold (K) and total shares (N)
  • Know how you'll distribute the Shares (avoid keeping them for too long time gathered on the machine)

Basic Encryption

Interactive Mode

Run Fractum without arguments to enter interactive mode:

fractum -i

The interactive mode will:

• Display the current Fractum version
• Show available files in the current directory
• Prompt you to select the operation (encrypt/decrypt)
• Guide you through the configuration process

Command Line Mode

You can encrypt files directly from the command line using either manual installation or Docker.

fractum encrypt MY_FILE.txt --threshold 3 --shares 5 --label "my passwords" -v

Expected output:

Using label: my_passwords (spaces replaced with underscores)
Using existing shares directory
Generated share set ID: 086affead7924664
Generated shares: 5
Encrypted file: MY_FILE.txt.enc
Created archive: /Users/alice/pro_wks/fractum/shares/share_1_2.zip
Created archive: /Users/alice/pro_wks/fractum/shares/share_2_2.zip
Created archive: /Users/alice/pro_wks/fractum/shares/share_3_2.zip
Created archive: /Users/alice/pro_wks/fractum/shares/share_4_2.zip
Created archive: /Users/alice/pro_wks/fractum/shares/share_5_2.zip

First, ensure your file is in the data directory:

# Copy your file to the data directory
cp MY_FILE.txt data/

Then run the encryption command:

docker run --rm -it \
  --network=none \
  -v "$(pwd)/data:/data" \
  -v "$(pwd)/shares:/app/shares" \
  fractum-secure encrypt /data/MY_FILE.txt \
  --threshold 3 \
  --shares 5 \
  --label "my passwords" \
  -v

Expected output:

Using label: my_passwords
Using existing shares directory
Generated share set ID: 086affead7924664
Generated shares: 5
Encrypted file: /data/MY_FILE.txt.enc
Created archive: /app/shares/share_1.zip
Created archive: /app/shares/share_2.zip
Created archive: /app/shares/share_3.zip
Created archive: /app/shares/share_4.zip
Created archive: /app/shares/share_5.zip

Configuration Options

Threshold and Shares

  • Threshold (K): Number of shares required to decrypt the file
  • Total Shares (N): Total number of shares to generate
  • Rule: K ≤ N ≤ 255

Common configurations:

  • K=2, N=3: Minimal redundancy, simple recovery
  • K=3, N=5: Balanced security and recovery
  • K=5, N=8: Higher security for sensitive data

Output Structure

After encryption, Fractum creates:

current_directory/
├── MY_FILE.txt.enc          # Encrypted file
└── shares/                  # Shares directory
    ├── share_1.zip         # Share archive 1
    ├── share_2.zip         # Share archive 2
    ├── share_3.zip         # Share archive 3
    ├── share_4.zip         # Share archive 4
    └── share_5.zip         # Share archive 5

Each share ZIP archive contains: - Share data file with the cryptographic share - Metadata required for reconstruction - All necessary information for decryption

Best Practices for Encryption

  1. Choose appropriate K and N values based on your security requirements
  2. Use descriptive but secure labels for your encrypted files
  3. Immediately distribute shares to separate locations after encryption
  4. Verify the encryption completed successfully before distributing shares
  5. Document your threshold settings for future reference
  6. Test recovery with a non-sensitive file first

Security Considerations

  • Memory security: Fractum automatically clears sensitive data from memory
  • Temporary files: No unencrypted temporary files are created during encryption
  • Randomness: Fractum uses cryptographically secure random number generation
  • Key derivation: Each encryption uses a unique key derived from secure random data

For comprehensive security guidance, see our Security Best Practices guide.

Troubleshooting

Common Issues

  1. Insufficient disk space: Ensure adequate space for output files
  2. Permission errors: Check write permissions for the output directory
  3. File not found: Verify the file path is correct and accessible
  4. Invalid threshold: Ensure K ≤ N and both are positive integers

Verification Steps

After encryption:

  1. Check that all expected share files were created
  2. Verify checksums match the generated values
  3. Test decryption with a subset of shares (optional)