I'd like to self-nominate agree
.
agree
is a CLI tool that enables secret sharding by implementing Shamir's Secret Sharing. After reading a blog post by PayPals former CTO, I found that there was no rust based CLI tool that provides an implementation of Shamir's Secret Sharing (SSS) algorithm in a convenient way.
Summary: agree
is able to split a secret of arbitrary length into n shares. While doing so, you can provide a threshold k for restoring the secret. The idea is to split the secret into n shares (one per person) and then require at least k people to agree when decrypting the secret. This approach, also known as multi-key-turn security, is found in many security critical systems to avoid a single point of failure by giving individuals access to secrets.
agree
provides additional convenience features such as:
- Optionally encrypting the share with a password that is prompted when the share is used for restoring the secret.
- Optionally adding additional information about the secret (total number of shares / threshold for restoration).
- Optionally adding an individual name and comment to the share (plain string).
- Detecting input of wrong passwords for encrypted shares by using an Argon2id hash for verification (stored in the share)
- Assigning a UUID per share
The CLI program supports a fully automated way for splitting the secret (via blueprint
) as well as an interactive mode (using the crate dialoguer
) in the CLI. Restoring a secret from k shares is also supported in both interactive and headless mode (headless assumes that no password prompt is needed and fails otherwise).
I just released the version 0.1.0 after an initial alpha and beta test with people I know. The interface should stay backwards compatible within a minor version. After the initial release of 1.0.0, the semver v2 standard will be enforced.
- Crates.io: https://crates.io/crates/agree
- Inspiration by: too long to tweet