0.6.1 • Public • Published


    Join the chat at

    An alpha document splitter. It's new, so it's nearly guaranteed to be insecure.

    You have been warned.


    1. IMPORTANT: If you have created shards before version 0.3.0, you'll need to continue using the latest legacy structure version (0.2.0), or reshard your document. The latter is preferred, as the new version attempts to hide the length of your document a little better.
    2. Passwords are now prompted for, and the command line option has been removed for security. You'll be prompted for these passwords.

    What's the use of it?

    You can seperate documents out to different physical (or digital) locations. Assuming that the physical/digital locations have perfect security, it wouldn't matter if the AES algorithm breaks, since XOR one time pads provide theoretically perfect security.


    You can install it like:

    npm install -g secsplit

    How do I use this thing?


    Let's go over the structure a little bit first. The document is the file which you're splitting into shards.

    So you essentially have this:

    • Create shards from the original document (with some added junk random data), that recreate the original document when xor'd together
    • Encrypt shards with AES-GCM
    • Encrypt the key used for the above step (the shard key) with a key derived from a password using PBKDF2-SHA512 (the master key)

    Generating a new shard key

    Firstly, you'll need to generate a new shard key, and encrypt that with a password. You can do that by running this command (and entering your desired password when prompted for it):

    secsplit genkey -o <shard key output path>

    For example:

    secsplit genkey -o ~/reportshard/secsplit.skey

    You can also specify the PBKDF2 parameters like this:

    secsplit genkey -o <shard key output path> -i <PBKDF2 iterations> -a <PBKDF2 hash algorithm>

    Where the hash algorithm is: md5, sha1, sha256, or sha512.

    Note that the iterations currently defaults to 1000000, and the algorithm defaults to sha512.

    For example:

    secsplit genkey -o ~/reportshard/secsplit.skey -i 50000000 -a sha256

    Also note that the salt, iv, and the actual key changes each time you run the command, even if the password is the same.

    Sharding a document

    Now that you have a shard key generated, you can now shard a document by using this command:

    secsplit shard -k <shard key file> -i <document path> -o <shard path> <shard path> ...

    Where ... indicates that you can supply as many shards as you want. Note that you must supply at least two paths to save shards in.

    You'll be prompted for your password that you set when generating the key file.

    For example:

    secsplit shard -k ~/reportshard/secsplit.skey -i ~/Documents/report.pdf -o ~/reportshard/shards/1.shard ~/reportshard/shards/2.shard ~/reportshard/shards/3.shard

    You can also modify how much junk random data is added to your document (which is removed when you merge), like so:

    secsplit shard -k <shard key file> -i <document path> -o <shard path> <shard path> ... -b <multiple of boundaries to always add up to>

    For example:

    secsplit shard -k ~/reportshard/secsplit.skey -i ~/Documents/report.pdf -o ~/reportshard/shards/1.shard ~/reportshard/shards/2.shard ~/reportshard/shards/3.shard -b 512

    Note that the default method is the fixed multiple boundary; random data + length of document = x * boundary where x is the smallest positive integer to satisfy length of document <= x * boundary. The default boundary is 16384.

    You can also use an exponential boundary; random data + length of document = boundary^x where x is the smallest positive integer to satisfy length of document <= boundary^x. It is recommended that you use a smaller boundary when using this mode, with 16 scaling up well. You can switch to this mode using the -e parameter, like so:

    secsplit shard -k ~/reportshard/secsplit.skey -i ~/Documents/report.pdf -o ~/reportshard/shards/1.shard ~/reportshard/shards/2.shard ~/reportshard/shards/3.shard -e -b 16

    Merging back

    Ok. So you've got the shards, and now you want to use them to recreate your document (after you probably used a command like shred on it). You can merge shards back into the document like so:

    secsplit merge -o <shard key file> -i <shard path> <shard path> ... -o <merge output path>

    For example:

    secsplit merge -o ~/reportshard/secsplit.skey -i ~/reportshard/shards/1.shard ~/reportshard/shards/2.shard ~/reportshard/shards/3.shard -o ~/Documents/merged-report.pdf

    If you don't see your original file, you're missing a shard somewhere.


    You've now realised that you want additional shards. Rather treating the shard as another document, you can actually reshard. This will unencrypt the shard, and then create additional files, like so:

    secsplit reshard -k <shard key file> -i <original shard> -o <subshard path> <subshard path> ...

    Again, ... indicates that you can supply as many shards as you want, but you must still have a minimum of two.

    For example:

    secsplit reshard -k ~/reportshard/secsplit.skey -i ~/reportshard/shards/3.shard -o ~/reportshard/shards/3sub1.shard ~/reportshard/shards/3sub2.shard
    shred -n 200 -z -u ~/reportshard/shards/3.shard && mv ~/reportshard/shards/3sub1.shard ~/reportshard/shards/3.shard && mv ~/reportshard/shards/3sub2.shard ~/reportshard/shards/4.shard # SEE NOTES BELOW BEFORE RUNNING THIS LINE 

    Note that we use shred to delete the original shard. You should only do this once you're sure that the new shards work, but you should be sure to do this (else the new shards are effectively bypassed by the old one).

    Also, note that you should not include both the original shard and the subshards when merging, as the subshards xor together to make the original shard.

    Gluing back together

    Ok so I made a mistake and created too many shards for one of my files. Rather than regenerating the whole sharding process, I added the ability to glue shards back together.

    You can do so like this:

    secsplit glue -k <shard key file> -i <subshard path> <subshard path> ... -o <merged shard>

    For example:

    secsplit glue -k ~/reportshard/secsplit.skey -i ~/reportshard/shards/3.shard ~/reportshard/shards/4.shard -o ~/reportshard/shards/3merge.shard
    shred -n 200 -z -u ~/reportshard/shards/3.shard && shred -n 200 -z -u ~/reportshard/shards/4.shard && mv ~/reportshard/shards/3merge.shard ~/reportshard/shards/3.shard

    Changing your password

    You can change your password by using the following command:

    secsplit chpass -k <old shard key location> -o <new shard key location>

    You should enter your old password, and desired new password when prompted.

    For example:

    secsplit chpass -k ~/reportshard/secsplit.skey -o ~/reportshard/new.skey
    shred -n 200 -z -u ~/reportshard/secsplit.skey && mv ~/reportshard/new.skey ~/reportshard/secsplit.skey # Again, run this only once you're sure that the above has worked 

    You could also use this (although this is more risky):

    secsplit chpass -k ~/reportshard/secsplit.skey -o ~/reportshard/secsplit.skey

    Note that you can set the same password to regenerate the salt, and therefore the master key.

    Changing the PBKDF2 parameters

    So you've created a key, and now you've realised that generating the password using PBKDF2 is taking too long. You want to lower the number of iterations to help.

    You can do this by using the following command:

    secsplit chparam -k <old shard key location> -o <new shard key location> -i <number of iterations> -a <PBKDF2 algorithm>

    Note that iterations defaults to 1000000 and the algorithm defaults to sha512 when left unspecified.

    For example:

    secsplit chparam -k ~/reportshard/secsplit.skey -o ~/reportshard/new.skey -i 100000 -a sha256
    shred -n 200 -z -u ~/reportshard/secsplit.skey && mv ~/reportshard/new.skey ~/reportshard/secsplit.skey # Only run this once you're sure that the above has worked 

    And the more risky version:

    secsplit chparam -k ~/reportshard/secsplit.skey -o ~/reportshard/secsplit.skey -i 100000 -a sha256

    Note that this method also allows you to regenerate the salt.

    I have an error

    The argument checking currently consists of a simple validator, and doesn't report which argument is missing/faulty, so secsplit gives very generic errors most of the time. I'll fix this soon.

    At the moment could you file an issue to let me know what command that you were running which isn't working as you expect, please?

    Your code style is awful

    I know.




    npm i secsplit

    DownloadsWeekly Downloads






    Unpacked Size

    44.8 kB

    Total Files


    Last publish


    • kurimizumi