For working journalists · researchers · anyone holding a source’s trust

Private Archive

An offsite archive that we cannot read,
cannot trace, and cannot give up.

If you keep notes, recordings, or documents that someone might one day come looking for, the central problem of cloud storage is the same problem it always was: your provider knows it’s you, knows where you are, and can be compelled to act on that knowledge.

Private Archive is built so that the provider knows none of it. Not your name, not your inbox, not your IP, not the names of your files, and not what is in them. Restic encrypts the archives on your machine, before transit. The service receives ciphertext only. Where the bytes are warehoused is, by design, irrelevant: a service that has never held the decryption keys cannot be compelled to surrender them. The transport happens through Tor. Payment happens in Monero, against a subaddress that is yours alone and means nothing to anyone else.

If we are subpoenaed for “the data of [name],” we have nothing to give. We do not know what name maps to what archive. We never did.

What we don’t collect

  • Your name, alias, or contact details
  • Your IP address (Tor obscures it; we do not log)
  • The plaintext of your files (Restic encrypts before transit)
  • The names of your files (Restic encrypts those too)
  • Your payment trail (Monero settles privately)
  • Any browser, device, or session identifier

What we keep — minimum viable

  • The first eight characters of your client certificate’s SHA-256 hash
  • The number of bytes you have stored
  • The amount of credit remaining on your balance
  • Encrypted blobs — the only form in which your work ever reaches us

That’s it. There is nothing else to leak.

Threats this is built against

Border seizure of your laptop Restic-encrypted blobs are unreadable without your passphrase. The cert ≠ the keys.
Subpoena to a US/EU cloud provider There is no provider here who knows who you are. The provider is us. We don’t know either.
Network interception (ISP, hotel Wi-Fi, airport) Tor + TLS. The wire shows traffic to a Tor entry node, nothing more.
Server-side compromise of this service The attacker gets ciphertext. We don’t hold keys, plaintext, or routing metadata.
Coercion of the operator There is nothing readable to coerce out of us. Mathematics, not goodwill.
Loss of your client certificate Total archive loss. This is intentional. A recoverable archive is a coercible one.
Loss of your Restic passphrase Total archive loss. The keys live with you, never with us. There is no recovery path, and that is the point.

Plays well with the rest of your kit

Private Archive is one piece of a larger workflow. It does not replace your work on Tails, your sources’ SecureDrop intake, or your locked-down editing machine. It complements them: it’s the place to put the encrypted output when it leaves your hands, so that if your machine is lost, seized, or corrupted, the work survives without compromising anyone.

How a working day looks

  1. Install the client on the machine where the work lives. Generate a certificate.
  2. Verify the SHA256 of the binary against our published sums (or build from source).
  3. Fund a small XMR balance — one or two months ahead of need.
  4. Schedule nightly backups: privatearchive backup ~/Work.
  5. Restore a known file from a different machine, before you trust the system with anything important.
  6. Forget we exist, until you need us.

What it costs

Pay-as-you-go, in Monero. You fund a balance; the balance burns down as you store and transfer; you top it up when it runs low. There is no subscription, no card on file, no renewal date for anyone to lean on. If you stop paying, the archive eventually expires. If you keep paying, it doesn’t.

Get the client

Static binaries. Reproducible builds. Verify before running.