hubertbonscep

@hubertbonscep@infosec.exchange
0 Followers
0 Following
1 Posts
Security engr
hubertbonscepJun 24

๐Ÿงต Thread: Building information-theoretic security for personal cold storage

After almost losing access to critical crypto wallets during a team transition, I've been thinking about the cold storage problem differently.

Most people store seeds/keys in single locations: hardware wallets, encrypted files, safety deposit boxes. But what happens when that ONE thing fails, gets stolen, or you forget where you put it?

1/8
๐Ÿ” The solution we ended up building uses Shamir's Secret Sharing - the same math that Trezor uses internally, but applied to any secret you need to store long-term.

Split your seed phrase into 5 pieces, need any 3 to recover. The beautiful part: 2 pieces reveal ZERO information. Information-theoretic security, not just "computationally hard."

2/8
๐Ÿ’ก Real-world threat models this addresses:
๐Ÿ”ฅ House fire (shares elsewhere survive)
๐Ÿšช Inheritance planning (family can pool shares)
๐Ÿ  Forgotten hiding spots (only need threshold)
โš”๏ธ Physical coercion (attacker needs multiple locations)
๐Ÿ’พ Hardware failure (recover to any new device)

3/8
๐Ÿ›ก๏ธ The crypto nerd in me loves that this is provably secure:

- AES-256-GCM for file encryption
- Shamir's algorithm over GF(256)
- Each share is self-contained with recovery tools
- Air-gapped operation (Docker --network=none)
- No proprietary crypto, everything auditable

4/8
๐ŸŽฏ Use cases beyond crypto:

- Password manager master vault exports
- GPG/SSH keys you can't afford to lose
- Encrypted family photos/documents
- Any "nuclear option" secret that needs decades of survival

The key insight: some secrets are too important for single points of failure.

5/8
๐Ÿ”“ Why we open-sourced it:
When your financial security depends on a tool, you can't trust it to any company's business model. Cryptographic tools for long-term storage need to be:

- Transparent (audit the math)
- Immortal (survive any vendor)
- Community-maintained

6/8
๐Ÿ’ป Implementation details for the security-minded:

- Runs completely offline
- Cross-platform (Linux/macOS/Windows)
- Each share includes full recovery application
- FIPS 140-2 compatible algorithms
Reproducible builds

GitHub: https://github.com/katvio/fractum

7/8
Question for #infosec community:

I'm wondering How do you handle long-term storage of critical secrets? Especially curious about approaches that survive both digital and physical threats over decades.
What threat models am I missing for personal cold storage scenarios?

#cryptography #backup #security #shamir
8/8

GitHub - katvio/fractum: Fractum is a portable secure file encryption tool allowing you to encrypt files and split them into multiple shares, with the ability to decrypt using only a subset of these shares.

Fractum is a portable secure file encryption tool allowing you to encrypt files and split them into multiple shares, with the ability to decrypt using only a subset of these shares. - katvio/fractum

GitHub