Frequently Asked Questions (FAQ)¶

Get instant answers to the most common questions about Fractum, the enterprise-grade secret sharing tool using Shamir's Secret Sharing and AES-256-GCM encryption.

What is Fractum?¶

Fractum is an enterprise-grade secret sharing tool that uses Shamir's Secret Sharing (SSS) and AES-256-GCM encryption to split sensitive files into encrypted shares. It's designed for secure cold storage of passwords, crypto wallets, SSH keys, and critical documents.

Key features:

• Shamir's Secret Sharing algorithm for mathematical security
• AES-256-GCM military-grade encryption for file protection
• Offline operation for air-gapped environments
• Cross-platform support (Windows, macOS, Linux)
• Docker containerization for maximum isolation

How does Shamir's Secret Sharing work in Fractum?¶

Shamir's Secret Sharing splits your encrypted file into multiple shares using polynomial mathematics. You define:

• Threshold (K): Minimum shares needed to reconstruct the file
• Total shares (N): Total number of shares created

Example: With K=3 and N=5, you need any 3 of the 5 shares to reconstruct your original file.

Mathematical security guarantee: Fewer than K shares provide zero information about the original file - this is information-theoretically secure.

What can I protect with Fractum?¶

Fractum can secure any sensitive file or data:

• Cryptocurrency wallets and private keys
• SSH keys and certificates
• Password databases and credential files
• Critical business documents and contracts
• Personal sensitive data like tax records
• Encryption keys and certificates
• Configuration files with sensitive settings

File size limits: Fractum can handle files from a few bytes up to several gigabytes.

Can Fractum be used offline for air-gapped security?¶

Yes, Fractum is specifically designed for offline operation and air-gapped environments.

Offline capabilities:

• No internet connection required for encryption or decryption
• All cryptographic operations happen locally
• Perfect for high-security environments
• No data transmission to external servers
• Complete network isolation support

Best practice: Use Fractum on an air-gapped system that has never been connected to the internet for maximum security.

What encryption standard does Fractum use?¶

Fractum uses AES-256-GCM encryption, which provides:

• AES-256: Advanced Encryption Standard with 256-bit keys
• GCM mode: Galois/Counter Mode for authenticated encryption
• Military-grade security: Same standard used by governments worldwide
• Authentication: Prevents tampering and ensures data integrity
• Performance: Fast encryption/decryption operations

Security guarantee: AES-256 is considered quantum-resistant for the foreseeable future.

How do I choose the right threshold and share settings?¶

Threshold selection depends on your security vs. accessibility needs:

Key considerations:

• Higher K = More security but harder recovery
• Extra shares (N-K) provide backup against loss
• Optimal ratio: K should be 60-70% of N for balanced security

How secure is Fractum compared to other solutions?¶

Fractum provides information-theoretic security, which means:

• Mathematical proof: Security is guaranteed by mathematics, not just computational difficulty
• No brute force attacks: Impossible to guess the secret with fewer than K shares
• Zero-knowledge: Individual shares reveal nothing about the original data

Comparison with other methods:

• More secure than simple password protection
• More secure than single encryption key storage
• Equivalent security to enterprise HSMs but more accessible
• Better disaster recovery than single-point storage

Why choose Fractum over enterprise solutions like HashiCorp Vault or HSMs?¶

Fractum is designed for different use cases than active secret managers:

When to use Fractum (Cold Storage):

• Long-term secret storage (years/decades)
• Emergency recovery scenarios
• Air-gapped environments with no infrastructure
• Personal use cases without enterprise budgets
• Backup encryption keys and root CA private keys
• Cryptocurrency cold storage and seed phrases

When to use Vault/HSMs (Active Management):

• Daily secret operations and API key rotation
• Enterprise infrastructure with dedicated teams
• High-frequency operations (thousands per day)
• Runtime application secrets and service authentication

Cost comparison: HSMs cost thousands of dollars and require infrastructure. Fractum is free and works everywhere.

Where should I store the shares?¶

Strategic share distribution is critical for security:

Recommended storage locations:

• Bank safe deposit boxes (professional security)
• Home safes (fire-rated, burglary-resistant)
• Attorney offices (legal protection)
• Corporate vaults (enterprise environments)
• Trusted family/colleagues (geographic distribution)
• Multiple USB drives (different manufacturers to prevent simultaneous failure and bit rot)

Security principles:

• Geographic separation: Different cities/countries
• Independent custodians: People who don't know each other
• Secure communication: Encrypted channels for coordination
• Environmental protection: Waterproof, fireproof storage

What happens if I lose some shares?¶

Fractum's threshold system provides built-in redundancy:

• Shares needed: Only K shares (threshold) required for recovery
• Buffer shares: Extra shares (N-K) protect against loss
• Example: With 3-of-5 threshold, you can lose 2 shares and still recover

Recovery scenarios:

• 1-2 shares lost: Full recovery possible with remaining shares
• Multiple shares lost: Recovery if you still have K shares
• Below threshold: Recovery impossible - this is by design for security

Best practice: Create more shares than your minimum threshold to protect against loss.

Can someone access my data with one share?¶

No. This is guaranteed by Shamir's Secret Sharing mathematics.

Security properties:

• Information-theoretic security: Having K-1 shares provides zero information
• No partial reconstruction: You cannot get "part" of the original file
• No brute force possible: Cannot guess the missing shares
• Quantum-resistant: Even quantum computers cannot break this property for the foreseeable future

Example: With a 3-of-5 threshold, having 1 or 2 shares tells an attacker nothing about your original file.

How does Fractum protect against coercion attacks and kidnapping?¶

Fractum's distributed model provides several protections against physical coercion:

Time-based protection:

• Geographic distribution requires attackers to travel to multiple locations
• Multiple custodians means more people to locate and compromise
• Recovery delays provide time for authorities to intervene

Practical protections:

• Individual shares are useless - no single person can be forced to reveal everything
• Shared knowledge spreads risk across multiple people
• Physical separation prevents attackers from quickly gathering enough shares

Example: With shares in different states/countries, an attacker would need days or weeks to collect the threshold, giving plenty of time for intervention.

What about USB drive failure and bit rot?¶

Long-term storage media degradation is a real concern:

USB drive limitations:

• Bit rot: Flash memory loses charge over 3-5 years
• Temperature sensitivity: Heat accelerates degradation
• Wear leveling: Drives with more use fail faster

Fractum's built-in protections:

• Redundancy by design: Lose N-K shares without data loss
• Multiple storage methods: Mix USB, paper, metal, cloud storage
• Vendor diversity: Use drives from different manufacturers

Best practices:

• Annual refresh cycles: Copy data to new drives yearly
• Multiple media types: Don't rely solely on USB drives
• Verification procedures: Check share integrity regularly

How does Fractum handle memory security?¶

Fractum implements defense-in-depth memory protection:

Memory clearing techniques:

• Secure overwriting: Multiple passes with different patterns
• Immediate clearing: Sensitive data cleared as soon as possible
• Memory locking: Prevents swapping to disk during operations

Limitations and considerations:

• Python string immutability: Some string operations create copies
• Garbage collection: Python's GC may delay memory clearing
• Best practice: Run on dedicated, trusted systems for maximum security

Is Fractum open source?¶

Yes, Fractum is open source software.

Open source benefits:

• Transparent code: Anyone can audit the cryptographic implementation
• Community verification: Security researchers can validate the code
• No vendor lock-in: You control your own security
• Continuous improvement: Community contributions enhance security

Where to find it:

• GitHub repository: katvio/fractum
• License: MIT License
• Issue reporting: Community-driven bug fixes and improvements

How does Fractum compare to traditional password managers?¶

Fractum and password managers serve different purposes:

Fractum advantages:

• Cold storage focus: Designed for long-term, infrequent access
• Air-gapped security: No internet required
• Mathematical security: Information-theoretic guarantees
• Distributed storage: No single point of failure
• File-level protection: Encrypts entire files, not just passwords

Password manager advantages:

• Daily use convenience: Quick access for regular passwords
• Browser integration: Automatic form filling
• Sync across devices: Cloud synchronization
• User-friendly interface: Optimized for frequent access

Best practice: Use both - password managers for daily passwords, Fractum for critical long-term secrets.

What if non-technical family members need to recover my secrets?¶

This is a critical consideration for inheritance planning:

Challenges for non-technical users:

• Complex recovery procedures require technical knowledge
• Software dependencies may become unavailable over time
• Multi-step processes can be confusing under stress

Fractum's solutions:

• Self-contained shares: Each share includes the recovery application
• Cross-platform compatibility: Works on any major operating system
• Detailed documentation: Step-by-step recovery instructions is selfcontained into the .zip files
• Simple command structure: Minimal technical knowledge required

Best practices for family recovery:

• Document everything: Write clear instructions for share locations
• Practice recovery: Train family members on the process
• Legal integration: Include instructions in will or trust documents
• Professional help: Consider involving attorneys or technical advisors

Is Fractum overkill for most users?¶

Fractum is designed for specific high-stakes scenarios:

When Fractum makes sense:

• Cryptocurrency holdings worth significant money
• Business-critical encryption keys protecting valuable data
• Legal documents that cannot be replaced
• Infrastructure secrets protecting important systems
• Family inheritance planning for digital assets

When simpler solutions work:

• Daily passwords - use a password manager
• Low-value data - regular backups are sufficient
• Frequently accessed secrets - active secret managers like Vault

Rule of thumb: If losing the secret would cost you more than $1,000 or cause significant personal/business disruption, Fractum is worth considering.

How can I test my shares without exposing the secret?¶

This is an important operational concern for long-term storage:

Current limitations:

• Full reconstruction required: Currently need to decrypt to verify shares
• Security trade-off: Testing exposes the secret temporarily

Planned improvements:

• Zero-knowledge verification: Planned feature to verify shares without reconstruction
• Commitment schemes: Mathematical proofs that shares are valid

Current best practices:

• Test with dummy data: Practice the recovery process with non-sensitive files
• Partial testing: Verify individual share integrity and format
• Scheduled reviews: Regular audits of share storage locations

Why not just distribute copies of the encryption key?¶

Simple key distribution has significant security weaknesses:

Problems with key copying (1-of-N):

• Single point of compromise: If any copy is stolen, entire secret is exposed
• Equal trust required: All storage locations must be completely secure
• Binary security: Either completely secure or completely compromised

Shamir's advantages (K-of-N):

• Partial compromise protection: Steal K-1 shares, learn nothing
• Flexible trust models: Can use "lower security" locations safely
• Gradual failure: Security degrades gracefully as shares are compromised

Real-world example: Store one share in cloud storage, one with family, one in home safe. Even if cloud storage is breached, your secret remains secure.

Key Takeaways¶

In summary, Fractum provides:

✅ Military-grade security using AES-256-GCM and Shamir's Secret Sharing
✅ Information-theoretic protection that's mathematically guaranteed
✅ Offline operation for air-gapped and high-security environments
✅ Flexible threshold settings to balance security and accessibility
✅ Cross-platform support for Windows, macOS, and Linux
✅ Open source transparency for community audit and verification
✅ Enterprise-grade solution for critical data protection
✅ Coercion resistance through distributed share storage
✅ Long-term reliability with built-in redundancy against media failure

Perfect for: Cryptocurrency wallets, SSH keys, critical documents, password databases, backup encryption keys, and any sensitive data requiring long-term secure storage with distributed access control.

Still have questions?¶

Get additional help:

• 📖 Read the complete documentation
• 🔧 Installation guide
• 🔒 Security best practices
• 🏗️ Security architecture deep dive
• 🐛 Report issues on GitHub