#cli #secret #key #sharing

app agree

A multi-key-security CLI tool using Shamirs Secret Sharing

6 releases

0.1.0 Aug 13, 2023
0.1.0-beta.2 Aug 12, 2023
0.1.0-beta.1 Aug 8, 2023
0.1.0-alpha.2 Aug 6, 2023
0.0.0 Aug 6, 2023

#1771 in Command line utilities

50 downloads per month

MIT license


Rust 675 SLoC // 0.0% comments BASH 261 SLoC PowerShell 107 SLoC Elvish 94 SLoC


dependency status
agree is a CLI tool for easily applying multi-key-turn security via Shamirs Secret Sharing.

Project state

agree is unstable.
Version semantics: ^([0-9]+\.[0-9]+\.[0-9]+)(-(alpha|beta)\.[0-9]+)?$.


Split a secret into n shares (interactive)

To split a secret (file) into shares, execute one of the following examples.:

  • Data is in a file (Cargo.toml):
    agree split -i -s Cargo.toml
  • Data is generated by an inline shell script and written to STDOUT (this approach uses process substitution):
    agree split -i -s <(printf "secret")

This command is interactive and asks the user to provide data like s hare name, file path and optional password to encrypt the share data.

Restore a secret from n shares (interactive)

In the following example, the secret was split into 2 shares. We need to provide exactly two shares in order to restore the secret and write it to STDOUT.
This command is interactive as it might prompt for the password of the share if it's share dataa is encrypted.

agree restore -i -s ./share1.file -s ./share2.file

Note that if any password is encrypted and the -i flag is not provided, the command execution will fail since no password can be prompted from the user when in non-interactive mode.

Split a secret into n shares (via blueprint)

The example below will split the secret into three shares with a restore threshold of two. Assuming the file is called blueprint.yaml, we can use the following command:

agree split -s Cargo.toml -b blueprint.yaml
threshold: 2
  - path: ./test/alice.share
  - path: ./test/bob.share
    name: bob
    encrypt: !plain example-bob
    info: true
    comment: example for bob
  - path: ./test/charlie.share
    name: charlie
    encrypt: !shell printf example-charlie

The same result can be achieved using the interactive mode:

agree split -i -s Cargo.toml

Share composition

In all version, bytes [0..36) are reserved for the version ID of the archive.
In the following schematics, only the data from index [36..] is used and shifted left to index 0 for convenience.

^     --  -- VERSION ID --  --     ^ DATA =>


v0.1 is a yaml base64 encoded YAML file. The share information can be store either in plain text or can be protected with a password. The share data is always base64 encoded when stored in the YAML field.
If encrypted with a password, a symmetric encryption algorithm with the following attributes is used (from the crate simplecrypt v 1.0.2):

/// |index  |usage|
/// |-------|-----|
/// |0 - 15 |salt |
/// |16 - 39|nonce|
/// |40 - 55|mac  |
/// |56 -   |data |

The password to the data is hashed via argon2. The hashed password is stored alongside the encrypted data to easily identify wrong passwords when the data is decrypted.


~310K SLoC