ShamirBox – Argon2id · Shamir

Environment warning

This browser does not provide crypto.getRandomValues. A cryptographically secure RNG is required. Do not use this environment for secrets.

Encrypt using one master password and an optional set of slave passwords. Decrypt with the master or slave passwords that meets the threshold.

Name (optional, max 32, stored UNENCRYPTED!)

Description (optional, max 2048 chars, stored UNENCRYPTED!)

Plaintext

Argon2id settings

Memory (KB)

Iterations

Minimum enforced: memory ≥ 131,072 KB (128 MB), iterations ≥ 4.

Master credentials

Master password

Decryptable with master alone, or with slave passwords.

Master password hint (optional, max 256 chars, stored UNENCRYPTED!)

Slave passwords

Number of slaves N (0–255)

Threshold T (0–255, ≤ N)

Locked box (HEX)

Locked box info

Name:

Description:

KDF memory cost (kB):

KDF iterations:

KDF parallelism:

KDF hash length (bytes):

Number of slaves N:

Slave IDs:

Threshold T:

Created:

Version:

Master password (optional)

Slave passwords

Plaintext

Slave passwords

List of all used slave passwords (with IDs)

Encrypt

ShamirBox is like a secure digital lockbox you create in your browser. On Encrypt, enter the text you want to protect, set a strong master password, and optionally add several slave passwords with a threshold — for example, 4 slaves with a threshold of 2 means any 2 of them together can unlock the box. Click Encrypt, and the app will generate a self-contained Payload HEX — your locked box — which you can save or share.

Decrypt

To open it later, go to Decrypt and paste the Payload HEX. If you know the master password, you can open it directly. If not, enter enough correct slave passwords to meet the threshold, and the app will and unlock the box and display the original text.

MAC note: string values are MAC’d as raw UTF‑8 bytes with no Unicode normalization (no NFC/NFD/compat). Disaster‑recovery tools must follow this when recomputing the HMAC.