fission

Split secrets with ease


Fission is a microservice that lets you split and recombine secrets using Shamir's Secret Sharing by making HTTP requests.

Request Response

POST /split

To split a secret into multiple shares, send a POST request to the /split endpoint with a JSON object of the following shape.

{
  "secret": "0123456789abcdef",
  "numThreshold": 2,
  "numShares": 3
}
Where secret is the hex encoded secret you'd like to split, numThreshold is the number of shares needed to recover the secret again after being split, and numShares is the total number of shares to create.

The number of shares cannot exceed 255, and the number of threshold shares cannot exceed the number of total shares.

If your request satisfies the above requirements, Fission will return a JSON response of the following shape.

{
  "shares": [
      "080164bd7b7d74e6341a88e6636696fc7edd0428f2d1d7553f099565ceceab62fa40",
      "0802c867f6fae8d168340dd1c6cc31e5fca4087cf9f5b34a7e943763814e4ba1e983",
      "0803acda8d879c375c2e8537a5aaa71982780cbb0be964b44114a2614fc5e0e013c2"
  ],
  "checksum": "55c53f5d490297900cefa825d0c8e8e9532ee8a118abe7d8570762cd38be9818"
}
Where shares is an array of hex encoded shares of the original secret. These shares reveal effectively nothing about the original secret unless numThreshold shares are known. The checksum value is used later to determine the integrity of the secret.

POST /join

To recombine shares back into a secret, make a POST request to the /join endpoint with a JSON object of the following shape.

{
  "shares": [
      "080164bd7b7d74e6341a88e6636696fc7edd0428f2d1d7553f099565ceceab62fa40",
      "0802c867f6fae8d168340dd1c6cc31e5fca4087cf9f5b34a7e943763814e4ba1e983"
  ],
  "checksum": "55c53f5d490297900cefa825d0c8e8e9532ee8a118abe7d8570762cd38be9818"
}
Where shares is an array of hex encoded shares, and checksum is an optional hex encoded checksum of the secret to be recovered.

If the threshold amount of shares are provided in the request and the shares were derived from the same secret, Fission will return the original secret. If checksum doesn't match that of the original secret, an error response will be returned.

{
  "secret": "0123456789abcdef"
}
Where secret is the hex encoded secret. Note that if checksum is absent from a request, Fission will attempt to recover a secret regardless of the number or type of shares provided in the request. It's your duty to ensure that the integrity of the secret is kept if that key is missing.

Security Considerations

This service assumes that TLS protects against MITM attacks. If this assumption isn't aligned with your risk posture, do NOT use this service.

Handle your secrets with care.