# seQRets > seQRets is an open-source, zero-knowledge cryptographic tool for securing, splitting, and sharing secrets (crypto seed phrases, private keys, passwords) using Shamir's Secret Sharing and XChaCha20-Poly1305 encryption. Secrets are encoded as printable QR codes called Qards. Runs entirely offline — no servers, accounts, or telemetry. Licensed under AGPLv3. **Last updated:** April 24, 2026 ## Key Facts - Encryption: XChaCha20-Poly1305 (256-bit key, 192-bit nonce) - Key Derivation: Argon2id (64 MB memory, 4 iterations, 16-byte random salt) - Optional Keyfile: Second-factor binary file concatenated with password before Argon2id. Generated keyfiles are 256-bit CSPRNG. Defeats keyloggers, shoulder surfing, and weak-password brute-force. - Secret Splitting: Shamir's Secret Sharing over GF(256) via the audited `shamir-secret-sharing` library (Cure53 + Zellic audits), configurable K-of-N threshold. Single-Qard mode (N=1) bypasses Shamir for simple personal backups. - Share Integrity: SHA-256 hash embedded in each share (`seQRets|salt|data|sha256:`) — auto-verified at generation and restoration. One-way; reveals nothing about share contents. Desktop app shows verification UI (shield icons, printed fingerprint on Qard cards). Legacy shares without hashes are backward compatible. Manually verifiable: `echo -n "seQRets|salt|data" | shasum -a 256`. - Output: QR codes (Qards) — printable, scannable, each containing one encrypted share. Reveal dialog offers a BIP-39 SeedQR tab for direct hardware-wallet import when the secret is a mnemonic. - Hardware Wallet Verification: BIP-32 master fingerprint (XFP, 8 hex chars) shown below each SeedQR so users can cross-check against the fingerprint their hardware wallet displays after import. Derived from the master public key — reveals nothing about the seed. Caveat: differs if a BIP-39 passphrase is applied at import time. - UX Safety: QR reveal dialog is view-only (no download), blur-by-default, with an eye toggle to reveal when ready to scan. - PWA: Installable as a Progressive Web App. Service worker caches assets for true offline use after first load. - Clipboard Safety: Copied secrets auto-clear from the clipboard after 60 seconds. - API Key Storage (Desktop): Bob AI Gemini API keys are stored in the OS keychain (macOS Keychain / Windows Credential Store) instead of localStorage. - Connection Indicator: Pulsing dot in the header shows red while online (exposed to network) and solid green when offline (safer state for a security app). - Architecture: Zero-knowledge — no servers, no accounts, no telemetry, fully offline - Quantum Resistance: Fully quantum-resistant under the scheme's assumptions. While fewer than K shares are compromised, Shamir's Secret Sharing provides information-theoretic security — the ciphertext is never reconstructed, so no quantum computer can attack it. XChaCha20-Poly1305 serves as defense-in-depth in the event of share threshold compromise. - License: AGPLv3 - Source Code: https://github.com/seQRets/seQRets-app ## Platforms - Web App (free): https://app.seqrets.app - Desktop App (paid): Rust/Tauri — macOS, Windows, Linux. Adds JCOP smart card support, memory zeroization (Rust `zeroize` + compiler-fence), code signing, OS keychain API key storage, SHA-256 share integrity verification UI, PDF export of inheritance plans, time-triggered plan review reminders, comprehensive inheritance planner (multiple secret sets, beneficiaries, incapacitation planning, edit & re-encrypt, automated review reminders). ## Documentation - [Full Documentation](https://seqrets.app/llms-full.txt): Complete technical docs, threat model, inheritance guide, product specs, and FAQ in a single file - [Technical Docs (browser)](https://seqrets.app/docs): Interactive documentation hub (requires JavaScript) - [Technical Overview](https://seqrets.app/docs/technical): Encryption pipeline, crypto primitives, keyfile docs - [Inheritance Guide](https://seqrets.app/docs/inheritance): Step-by-step inheritance planning - [Threat Model](https://seqrets.app/docs/threat-model): What seQRets protects against (and doesn't) - [Product Specs](https://seqrets.app/docs/products): Desktop app, smart cards, bundles, accessories - [FAQ](https://seqrets.app/docs/faq): Frequently asked questions - [Features](https://seqrets.app/features): Feature overview with web vs desktop comparison - [Security Page](https://seqrets.app/security): Security deep dive, threat model, FAQ - [How It Works](https://seqrets.app/how-it-works): Visual walkthrough with screenshots - [Recovery Tool](https://seqrets.app/recover): Choice page for seQRets Recover — explains the online (GitHub Pages) vs. offline (downloadable) options with SHA-256 verification guidance ## Source & Community - [GitHub Repository](https://github.com/seQRets/seQRets-app): Full source code, issues, contributions - [seQRets Recover](https://github.com/seQRets/seQRets-Recover): Independent, single-file recovery tool for the seQRets share format (MIT licensed). Available three ways: (1) [seqrets.app/recover](https://seqrets.app/recover) — choice page explaining the options; (2) [seqrets.github.io/seQRets-Recover](https://seqrets.github.io/seQRets-Recover/) — hosted version (quick check, requires GitHub Pages online); (3) [direct download](https://github.com/seQRets/seQRets-Recover/releases/latest/download/recover.html) — recover.html for offline / inheritance / archival use (recommended). - [Security Policy](https://github.com/seQRets/seQRets-app/blob/main/SECURITY.md): Vulnerability reporting - [License](https://github.com/seQRets/seQRets-app/blob/main/LICENSE): AGPLv3 ## Contact - General inquiries: hello@seqrets.app - Security disclosures & encrypted communication: seqrets@proton.me - PGP Key: [https://seqrets.app/pgp.txt](https://seqrets.app/pgp.txt) (plain text, bot-accessible) - PGP Page: [https://seqrets.app/pgp](https://seqrets.app/pgp) (interactive, requires JavaScript) - Fingerprint: `2C4D CD66 1F22 05AC 15C3 AC04 E462 D3A7 3866 C5D9` - Proton-to-Proton messages to seqrets@proton.me are E2E encrypted automatically ## Blog - [Blog Index](https://seqrets.app/blog) - [A Fake Ledger App on the App Store Just Drained a Musician's $420K Retirement Stash](https://seqrets.app/blog/fake-ledger-app-store-scam-g-love) - [Inside the $285M Drift Protocol Hack: Why Single-Key Security Is a Liability](https://seqrets.app/blog/drift-protocol-hack-secret-splitting) - [Zero Knowledge Goes Mainstream: Why 2026 Is ZKP's Breakout Year](https://seqrets.app/blog/zero-knowledge-proofs-mainstream-crypto-2026) - [The $5 Wrench Problem: Physical Attacks on Bitcoin Holders](https://seqrets.app/blog/wrench-attacks-bitcoin-physical-security) - [Hong Kong Decryption Law & Bitcoin Travelers](https://seqrets.app/blog/hong-kong-decryption-law-bitcoin-travelers) - [Why Seed Phrase Security Matters](https://seqrets.app/blog/why-seed-phrase-security-matters) - [Shamir's Secret Sharing Explained](https://seqrets.app/blog/shamirs-secret-sharing-explained) - [Crypto Inheritance Planning](https://seqrets.app/blog/crypto-inheritance-planning) ## Optional - [Product Catalog](https://seqrets.app/shop): Desktop app, smart cards, bundles, accessories - [Privacy Policy](https://seqrets.app/privacy) - [Terms of Service](https://seqrets.app/terms)