Encrypting Files¶
This guide covers how to encrypt files using Fractum, including configuration options and best practices.
Prerequisites¶
Before encrypting files, ensure you have:
- Fractum properly installed (manually or using docker)
- The file you want to encrypt ready
- Decided on your threshold (K) and total shares (N)
- Know how you'll distribute the Shares (avoid keeping them for too long time gathered on the machine)
Basic Encryption¶
Interactive Mode¶
Run Fractum without arguments to enter interactive mode:
The interactive mode will:
• Display the current Fractum version
• Show available files in the current directory
• Prompt you to select the operation (encrypt/decrypt)
• Guide you through the configuration process
Command Line Mode¶
You can encrypt files directly from the command line using either manual installation or Docker.
Expected output:
Using label: my_passwords (spaces replaced with underscores)
Using existing shares directory
Generated share set ID: 086affead7924664
Generated shares: 5
Encrypted file: MY_FILE.txt.enc
Created archive: /Users/alice/pro_wks/fractum/shares/share_1_2.zip
Created archive: /Users/alice/pro_wks/fractum/shares/share_2_2.zip
Created archive: /Users/alice/pro_wks/fractum/shares/share_3_2.zip
Created archive: /Users/alice/pro_wks/fractum/shares/share_4_2.zip
Created archive: /Users/alice/pro_wks/fractum/shares/share_5_2.zip
First, ensure your file is in the data
directory:
Then run the encryption command:
docker run --rm -it \
--network=none \
-v "$(pwd)/data:/data" \
-v "$(pwd)/shares:/app/shares" \
fractum-secure encrypt /data/MY_FILE.txt \
--threshold 3 \
--shares 5 \
--label "my passwords" \
-v
Expected output:
Using label: my_passwords
Using existing shares directory
Generated share set ID: 086affead7924664
Generated shares: 5
Encrypted file: /data/MY_FILE.txt.enc
Created archive: /app/shares/share_1.zip
Created archive: /app/shares/share_2.zip
Created archive: /app/shares/share_3.zip
Created archive: /app/shares/share_4.zip
Created archive: /app/shares/share_5.zip
Configuration Options¶
Threshold and Shares¶
- Threshold (K): Number of shares required to decrypt the file
- Total Shares (N): Total number of shares to generate
- Rule: K ≤ N ≤ 255
Common configurations:
K=2, N=3
: Minimal redundancy, simple recoveryK=3, N=5
: Balanced security and recoveryK=5, N=8
: Higher security for sensitive data
Output Structure¶
After encryption, Fractum creates:
current_directory/
├── MY_FILE.txt.enc # Encrypted file
└── shares/ # Shares directory
├── share_1.zip # Share archive 1
├── share_2.zip # Share archive 2
├── share_3.zip # Share archive 3
├── share_4.zip # Share archive 4
└── share_5.zip # Share archive 5
Each share ZIP archive contains: - Share data file with the cryptographic share - Metadata required for reconstruction - All necessary information for decryption
Best Practices for Encryption¶
- Choose appropriate K and N values based on your security requirements
- Use descriptive but secure labels for your encrypted files
- Immediately distribute shares to separate locations after encryption
- Verify the encryption completed successfully before distributing shares
- Document your threshold settings for future reference
- Test recovery with a non-sensitive file first
Security Considerations¶
- Memory security: Fractum automatically clears sensitive data from memory
- Temporary files: No unencrypted temporary files are created during encryption
- Randomness: Fractum uses cryptographically secure random number generation
- Key derivation: Each encryption uses a unique key derived from secure random data
For comprehensive security guidance, see our Security Best Practices guide.
Troubleshooting¶
Common Issues¶
- Insufficient disk space: Ensure adequate space for output files
- Permission errors: Check write permissions for the output directory
- File not found: Verify the file path is correct and accessible
- Invalid threshold: Ensure K ≤ N and both are positive integers
Verification Steps¶
After encryption:
- Check that all expected share files were created
- Verify checksums match the generated values
- Test decryption with a subset of shares (optional)