GitHub - 44za12/horcrux · GitHub

/" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

44za12

horcrux

Public

Notifications<br>You must be signed in to change notification settings

Fork

Star

main

BranchesTags

Go to file

CodeOpen more actions menu

Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit

History<br>19 Commits<br>19 Commits

.github/workflows

.github/workflows

cmd/cli

cmd/cli

docs

docs

gui

gui

internal

internal

scripts

scripts

storage

storage

.gitignore

.gitignore

README.md

README.md

go.mod

go.mod

go.sum

go.sum

logo.png

logo.png

View all files

Repository files navigation

Horcrux

Distributed, Zero-Trust Secret Manager

A secret manager that splits your vault across multiple cloud providers using Shamir's Secret Sharing and Reed-Solomon erasure coding — no single point of failure, no single point of compromise.

Features

Password, TOTP, API Key & File Management — Securely store, retrieve, and organize all your secrets.

Distributed Backup — Vault split across up to 7 cloud providers. Need M-of-N to recover — lose a provider, you're still safe.

Incremental Distribution — Content-addressed segments mean only changed data is re-uploaded. GB-scale vaults distribute in seconds.

Touch ID Unlock — Biometric unlock via macOS Keychain. Falls back gracefully to passphrase on Macs without Touch ID.

7 Storage Providers — Local filesystem, Google Drive, Dropbox, S3/MinIO, USB drives, SSH/SFTP, and WebDAV.

Zero-Knowledge — Providers see only opaque encrypted blobs. The vault passphrase never leaves your machine.

Fuzzy Search — Find passwords and TOTP entries with approximate queries.

Import — CSV passwords, 2FAS JSON TOTP exports.

Cross-Platform CLI — Go binary runs on macOS, Linux, and Windows. GUI is macOS-native (Wails + Svelte).

Quick Start

macOS GUI

Download Horcrux.app from Releases and move to /Applications.

Launch, create a passphrase, and start adding passwords.

Add 2+ storage providers under Providers, then Distribute to back up your vault.

CLI (macOS / Linux / Windows)

# Download and install<br>curl -L https://github.com/44za12/horcrux/releases/latest/download/horcrux-darwin-arm64 -o /usr/local/bin/horcrux<br>chmod +x /usr/local/bin/horcrux

# Initialize<br>horcrux init

# Add a password<br>horcrux pass addpass github.com user@email.com mypassword

# Get a password<br>horcrux pass getpass github.com user@email.com

# Add a provider and distribute<br>horcrux providers auth local<br>horcrux providers auth s3 --endpoint s3.amazonaws.com --bucket my-bucket<br>horcrux distribute

# Restore from providers<br>horcrux restore

Cryptography

Layer<br>Algorithm<br>Key

Vault files (at rest)<br>AES-256-GCM<br>Argon2id(passphrase)

Distribution segments<br>AES-256-GCM (deterministic)<br>Random 32-byte DEK

DEK protection<br>Shamir's Secret Sharing over GF(2⁸)<br>M-of-N threshold

Data fault tolerance<br>Reed-Solomon erasure coding<br>M data + N−M parity shards

Passphrase verification<br>PBKDF2 + HMAC-SHA256<br>100k iterations

Project Structure

horcrux/<br>├── cmd/cli/ # CLI application (urfave/cli)<br>├── gui/ # macOS GUI (Wails v2 + Svelte 4)<br>│ ├── app.go # Go backend methods<br>│ └── frontend/src/components/<br>├── docs/ # Documentation<br>├── internal/<br>│ ├── auth/ # Touch ID + Keychain (CGo)<br>│ ├── config/ # Path configuration<br>│ ├── crypto/ # Argon2id + AES-256-GCM<br>│ ├── distribute/ # Distribution engine<br>│ │ ├── distribute.go # Distribute / Restore / GC<br>│ │ ├── segment/ # Content-addressed segments<br>│ │ └── manifest/ # Versioned manifest<br>│ ├── providers/ # Provider config CRUD<br>│ ├── shamir/ # GF(256) Secret Sharing<br>│ └── vault/ # Vault CRUD + chunked file store<br>│ └── filestore/ # Content-addressed file chunks<br>├── storage/ # 7 provider implementations<br>└── scripts/ # Build helpers

Build From Source

# Prerequisites: Go 1.22+, Node 20+, Wails CLI<br>go install github.com/wailsapp/wails/v2/cmd/wails@latest

# CLI<br>go build -o /usr/local/bin/horcrux ./cmd/cli/

# GUI<br>cd gui && wails build -nopackage<br># App bundle at gui/build/bin/Horcrux

License & Contributing

Contributions, issues, and feature requests are welcome.

About

No description, website, or topics provided.

Resources

Readme

Uh oh!

There was an error...