enshamir is a powerful command line utility designed for splitting and combining secrets using Shamir's Secret Sharing Scheme, which is a cryptographic algorithm used to protect sensitive information.
With enshamir, you can safely split a secret into multiple shares, each of which contains a piece of the original secret, and then combine those shares to reconstruct the original secret. To ensure maximum security, enshamir encrypts the secret using AES-256-GCM before splitting it, making it virtually impossible for unauthorized parties to access the secret.
brew install ycdesu/tap/enshamirgo install github.com/ycdesu/enshamir/cmd/enshamir@latestTo split a secret into shares using enshamir, follow these steps:
- Prepare the secret file that you want to split. You can create a test file at
/tmp/test-secretby running:
echo "my secret" > /tmp/test-secret- Split the secret into 5 shares using the following command. This will save the shares in
/tmp/splitted-secrets:
enshamir split \
--secret-file /tmp/test-secret \
--parts 5 \
--threshold 3 \
--output-dir /tmp/splitted-secretsIn this example, we are splitting the secret into 5 shares, and we need at least 3 shares to reconstruct the secret.
Note that enshamir encrypts the secret before splitting it, so you will be asked to provide a password to encrypt the secret.
The password is hashed to a 32-byte key by argon2id, and a random 16-byte salt is also generated to add an extra layer of security.
- When the splitting process is complete,
enshamirwill generate the following files under/tmp/splitted-secrets:
/tmp/splitted-secrets/MUST-BACK-UP-SALT # a random 16-byte salt file used to hash the user password
/tmp/splitted-secrets/SPLITTED-SECRET-1 # share 1
/tmp/splitted-secrets/SPLITTED-SECRET-2 # share 2
/tmp/splitted-secrets/SPLITTED-SECRET-3 # share 3
/tmp/splitted-secrets/SPLITTED-SECRET-4 # share 4
/tmp/splitted-secrets/SPLITTED-SECRET-5 # share 5It is important to back up the MUST-BACK-UP-SALT file and at least 3 shares to be able to recover the secret later.
The MUST-BACK-UP-SALT file is necessary to reconstruct the 32-byte key used to encrypt the secret, while at least 3 shares are needed to recover the encrypted secret.
- To verify that the generated shares are valid, you can immediately combine them using the
enshamircombine command. If the secret is properly recovered, this will ensure that the shares were generated correctly.
Once you have split the secret into shares, it's recommended to combine the shares as soon as possible.
Assuming you have a salt file and three shares, and the secret content is "my secret". The shares are saved in the following files:
/tmp/MUST-BACK-UP-SALT
/tmp/parts-of-secrets/SPLITTED-SECRET-1
/tmp/parts-of-secrets/SPLITTED-SECRET-3
/tmp/parts-of-secrets/SPLITTED-SECRET-5To combine the shares, use the enshamir combine command with the following arguments:
enshamir combine \
--salt-file <path-to-salt-file> \
--shares-dir <path-to-shares-directory> \
--secret-file <path-to-combined-secret>Here, you should replace path-to-salt-file with the actual path to your salt file, path-to-shares-directory with the
actual path to your directory containing the split shares, and path-to-combined-secret with the actual path to the file
where you want to store the combined secret.
So the combining command is:
enshamir combine \
--salt-file /tmp/MUST-BACK-UP-SALT \
--shares-dir /tmp/parts-of-secrets \
--secret-file /tmp/combined-secretAfter running the enshamir combine command, the combined secret will be saved to path-to-combined-secret. You can
verify the content of this file by running:
cat /tmp/combined-secretThe content of the file should be my secret.