FractalLock

Security

Overview

FractalLock is designed to eliminate the single point of compromise found in traditional encrypted vault systems.

Vault data is encrypted locally on the user's device, and FractalLock generates a cryptographically secure encryption key. This key protects the vaults contents.

Instead of storing the key in a single location, FractalLock splits the key into multiple recovery shares using threshold cryptography.

Only the user-specified required number of shares are needed to reconstruct the key and recover the vault.

No vault data, encryption keys, or recovery shares are transmitted to any server.

FractalLock vaults remain accessible even if the FractalLock website or infrastructure becomes unavailable.

Cryptography Used

XChaCha20-Poly1305 authenticated encryption
Shamir Secret Sharing for key recovery
Cryptographically secure random key generation

FractalLock does not implement custom cryptography and uses the libsodium implementation of XChaCha20-Poly1305 for authenticated encryption of vault data and version keys.

Example encryption operation

// Generate a random nonce
const nonce = sodium.randombytes_buf(
  sodium.crypto_aead_xchacha20poly1305_ietf_NPUBBYTES
)

// Encrypt data using authenticated encryption
const ciphertext = sodium.crypto_aead_xchacha20poly1305_ietf_encrypt(
  data,       // plaintext
  null,       // additional data
  null,       // secret nonce
  nonce,      // public nonce
  key         // encryption key
)

Local-First Design

All encryption and vault reconstruction operations occur locally on the user's device.

FractalLock does not require internet access to create or recover vaults.

No cloud storage
No telemetry
No analytics
No vault data transmitted to servers

Threat Model

FractalLock is designed to protect vault data against:

Single device compromise
Loss of a recovery share
Unauthorised access to a single share

FractalLock does not protect against:

Loss of the required number of recovery shares
Malware on the user's device
Physical access to enough recovery shares

Security Transparency

FractalLock is built using widely accepted cryptographic techniques rather than proprietary or experimental algorithms.

The security model is intentionally simple and designed to be easily understood and independently evaluated.

Encryption Model

FractalLock uses a hierarchical encryption model designed to support secure versioning of vault data.

Each vault contains a randomly generated root key. The root key is split into recovery shares using Shamir Secret Sharing.

When files are added or modified, FractalLock generates a new version key. The version key is used to encrypt the files in that version of the vault.

The version key itself is encrypted using the root key and stored alongside the encrypted vault data.

This design allows FractalLock to support vault versioning while ensuring that all encrypted data remains protected by the root key.

Responsible Disclosure

If you believe you have discovered a security vulnerability in FractalLock, please contact us at:

security@fractallock.com

FractalLock

Secure vault storage using distributed key shares. No single point of compromise. Fully local. Fully offline.