Fission is a microservice that lets you split and recombine secrets using Shamir's Secret Sharing by making HTTP requests.
● Request ● ResponseTo split a secret into multiple shares, send a POST request to the /split endpoint with a JSON object of the following shape.
{ "secret": "0123456789abcdef", "numThreshold": 2, "numShares": 3 }Where secret is the hex encoded secret you'd like to split, numThreshold is the number of shares needed to recover the secret again after being split, and numShares is the total number of shares to create.
If your request satisfies the above requirements, Fission will return a JSON response of the following shape.
{ "shares": [ "080164bd7b7d74e6341a88e6636696fc7edd0428f2d1d7553f099565ceceab62fa40", "0802c867f6fae8d168340dd1c6cc31e5fca4087cf9f5b34a7e943763814e4ba1e983", "0803acda8d879c375c2e8537a5aaa71982780cbb0be964b44114a2614fc5e0e013c2" ], "checksum": "55c53f5d490297900cefa825d0c8e8e9532ee8a118abe7d8570762cd38be9818" }Where shares is an array of hex encoded shares of the original secret. These shares reveal effectively nothing about the original secret unless numThreshold shares are known. The checksum value is used later to determine the integrity of the secret.
To recombine shares back into a secret, make a POST request to the /join endpoint with a JSON object of the following shape.
{ "shares": [ "080164bd7b7d74e6341a88e6636696fc7edd0428f2d1d7553f099565ceceab62fa40", "0802c867f6fae8d168340dd1c6cc31e5fca4087cf9f5b34a7e943763814e4ba1e983" ], "checksum": "55c53f5d490297900cefa825d0c8e8e9532ee8a118abe7d8570762cd38be9818" }Where shares is an array of hex encoded shares, and checksum is an optional hex encoded checksum of the secret to be recovered.
If the threshold amount of shares are provided in the request and the shares were derived from the same secret, Fission will return the original secret. If checksum doesn't match that of the original secret, an error response will be returned.
{ "secret": "0123456789abcdef" }Where secret is the hex encoded secret. Note that if checksum is absent from a request, Fission will attempt to recover a secret regardless of the number or type of shares provided in the request. It's your duty to ensure that the integrity of the secret is kept if that key is missing.
This service assumes that TLS protects against MITM attacks. If this assumption isn't aligned with your risk posture, do NOT use this service.
Handle your secrets with care.