// privatearchive.xyz · v0.1.0 · reproducible builds

Encrypted offsite backup for people who read the source.

Files are encrypted with restic on your machine, pushed to our relay over Tor, and billed in XMR. The server only ever holds ciphertext. Authentication is an X.509 client cert — no email, no password, no recovery flow. The cert is the account.

Download v0.1.0 man privatearchive(1)

curl | sh brew apt scoop

$ curl -fsSL https://privatearchive.xyz/install.sh | sh
# verify SHA256 against published sums (recommended):
$ sha256sum -c SHA256SUMS | grep OK

spec.toml

[archive]
name        = "Private Archive"
version     = "0.1.0"
domain      = "privatearchive.xyz"

[crypto]
# AES-256-GCM via Restic on the client side
# server holds ciphertext only
# storage backend opaque, by design — service doesn't have keys
at_rest     = "restic / AES-256-GCM"
in_flight   = "TLS 1.3 over Tor"
auth        = "mTLS / X.509"
password    = false
server_keys = false # we don't have any

[billing]
currency    = "XMR"
model       = "pay-as-you-go"
pii         = false
analytics   = false

01 CLI walkthrough

Three sessions: bootstrap, fund, back up. No accounts. No recovery email. The certificate file identity.pem is your entire account — back it up somewhere durable.

~/private-archive — init

$ privatearchive init
# generating ed25519 key, signing CSR, saving identity.pem...
[ok]  identity.pem written to ~/.private-archive/identity.pem
[ok]  cert fingerprint: a13f e0c2 9d4b 7766 ... 02b1
[!]   no recovery. back up identity.pem now. seriously.

$ privatearchive id
account_id  : sha256(cert)[:16]
tor_circuit : healthy  # 3 hops
balance     : 0.00000000 XMR

~/private-archive — pay

$ privatearchive topup --xmr 0.05
subaddress  : 8B...kE9   # unique to this top-up
expires_at  : +30m        # rate locked
qr          : run 'topup --qr' for terminal QR

$ privatearchive balance --watch
balance  0.00000000 XMR  # pending...
balance  0.05000000 XMR  [confirmed: 10/10]

~/private-archive — backup

$ privatearchive backup ~/code ~/Documents \
    --exclude node_modules

# delegating to restic, transport=tor, mtls=on
scanned   : 142,318 files (37.4 GiB)
new       :   9,041 files ( 2.1 GiB)
encrypted : 100%  # before any byte leaves the host
uploaded  :  2.1 GiB via tor://
snapshot  : 3f0c1d   [ok]

$ privatearchive snapshots
ID       WHEN          SIZE
3f0c1d   2026-05-04     2.1 GiB
b8a204   2026-04-27    14.6 GiB

privatearchive restore <ID> --to ./out works the same way. The CLI streams ciphertext from the relay, restic decrypts locally with the key only your machine holds, and writes plaintext into ./out.

02 The stack, in one screen

No proprietary blobs in the data path. Every component is something you can man, audit, or replace.

crypto

restic

Content-defined chunking, AES-256-GCM, deduplicated repos. Keys are derived on your machine; we never touch them.

repo   = "private-archive://"
cipher = "AES-256-GCM"

transport

tor

All traffic exits over Tor by default. No clearnet fallback unless you flip --insecure-clearnet (don't).

socks5 = "127.0.0.1:9050"
leak   = false

authn

mTLS / X.509

Client cert — not a password — identifies you. Server stores SHA256(cert); nothing else.

id     = "sha256(cert)"
expiry = "none" # revocation only

billing

monero

Per-account subaddresses. Rate locked for 30 min when you top up. No KYC, no card vault, no PII.

currency = "XMR"
confirm  = 10 # blocks

build

reproducible

Open-source clients, deterministic builds, signed releases. You can verify, not just trust.

go     = "1.24"
sha256 = "published"

03 Privacy, as a config file

A short list of things we do not do. Each line is enforced in code, not policy.

collect_pii = false

No name, email, phone, billing address, IP log, or device fingerprint. Ever.

see_plaintext = false

Encryption happens before bytes leave the machine. We hold ciphertext, nothing else.

password_recovery = false

There is no password. There is no recovery flow. Back up identity.pem.

page_analytics = false

This page ships zero JavaScript trackers, no fonts, no remote assets. view-source: it.

third_party_scripts = false

No CDNs, no Google Fonts, no embedded videos. The bytes you fetched are the bytes we shipped.

payment_kyc = false

Monero in, storage out. There is no card vault, no billing identity to leak in a breach. We have tried hard to ensure that.

open_source = true

Client + protocol are open source. Reproducible builds. SHA256 sums published with every release.

tor_default = true

The transport is Tor. Clearnet is opt-in, loud, and we will yell at you in the logs.

04 Pricing

One model. Pay-as-you-go in XMR. Top up when the balance runs low. Cancel by not topping up.

# pay-as-you-go in XMR — balance burns by the second
# top up to refill, no subscription, no minimums, no card vault
$ privatearchive topup --xmr 0.05      # add credit
$ privatearchive balance               # check what's left
$ privatearchive backup ./src          # spend it

Pricing is published in the client and in git.privatearchive.xyz/protocol. Run out of balance and writes pause; existing data is held according to the grace period documented in the spec.

05 Download v0.1.0

Pick your platform. Verify SHA256SUMS. Read the source if you want — you should.

# typical verification flow
$ curl -O https://privatearchive.xyz/releases/v0.1.0/SHA256SUMS
$ sha256sum -c SHA256SUMS | grep privatearchive-linux-amd64
privatearchive-linux-amd64.tar.gz: OK