Fractir

Security

Overview

Fractir is designed to eliminate the single point of compromise found in traditional encrypted vault systems.

Vault data is encrypted locally on the user's device, and Fractir generates a cryptographically secure encryption key. This key protects the vaults contents.

Instead of storing the key in a single location, Fractir splits the key into multiple recovery shares using threshold cryptography.

Only the user-specified required number of shares are needed to reconstruct the key and recover the vault.

No vault data, encryption keys, or recovery shares are transmitted to any server.

Fractir vaults remain accessible even if the Fractir website or infrastructure becomes unavailable.

Cryptography Used

XChaCha20-Poly1305 authenticated encryption
Shamir Secret Sharing for key recovery
Cryptographically secure random key generation

Fractir does not implement custom cryptography and uses the libsodium implementation of XChaCha20-Poly1305 for authenticated encryption of vault data and version keys.

Example encryption operation

// Generate a random nonce
const nonce = sodium.randombytes_buf(
  sodium.crypto_aead_xchacha20poly1305_ietf_NPUBBYTES
)

// Encrypt data using authenticated encryption
const ciphertext = sodium.crypto_aead_xchacha20poly1305_ietf_encrypt(
  data,       // plaintext
  null,       // additional data
  null,       // secret nonce
  nonce,      // public nonce
  key         // encryption key
)

Local-First Design

All encryption and vault reconstruction operations occur locally on the user's device.

Fractir does not require internet access to create or recover vaults.

No cloud storage
No telemetry
No analytics
No vault data transmitted to servers

Threat Model

Fractir is designed to protect vault data against:

Single device compromise
Loss of a recovery share
Unauthorised access to a single share

Fractir does not protect against:

Loss of the required number of recovery shares
Malware on the user's device
Physical access to enough recovery shares

Security Transparency

Fractir is built using widely accepted cryptographic techniques rather than proprietary or experimental algorithms.

The security model is intentionally simple and designed to be easily understood and independently evaluated.

Encryption Model

Fractir uses a hierarchical encryption model designed to support secure versioning of vault data.

Each vault contains a randomly generated root key. The root key is split into recovery shares using Shamir Secret Sharing.

When files are added or modified, Fractir generates a new version key. The version key is used to encrypt the files in that version of the vault.

The version key itself is encrypted using the root key and stored alongside the encrypted vault data.

This design allows Fractir to support vault versioning while ensuring that all encrypted data remains protected by the root key.

Responsible Disclosure

If you believe you have discovered a security vulnerability in Fractir, please contact us at:

security@fractir.com

Fractir

Secure vault storage using distributed key shares. No single point of compromise. Fully local. Fully offline.