The longevity and confidentiality of research material, without compromise.

Private Archive is a small, deliberate tool for scholars who care what becomes of their data — encrypted on the workstation by software they can audit, transported over Tor, and held offsite in a form no one but the holder of the key can read.¹

Download the client v0.1.0 · macOS, Linux, Windows · reproducible builds

I. · On the durability problem

The literature on digital preservation has, for at least three decades, returned again and again to the same uncomfortable conclusion: institutional repositories come and go, file formats fall out of fashion, hard drives die quietly in office drawers, and the storage substrate beneath us is rarely as permanent as the words we write upon it.² A doctoral thesis is the work of years; the medium it lives on is rarely the work of more than a decade.

Compounding this is the matter of confidentiality. Interview transcripts gathered under ethics review, fieldnotes that name informants, draft manuscripts containing claims one is not yet ready to defend — this material does not belong, unencrypted, on a consumer cloud. Encryption ought not to be optional for sensitive datasets; it ought to be the default condition under which they exist outside the researcher’s own machine.

Private Archive is built on that assumption. Restic encrypts research data on the user’s hardware before any transit; the service holds only ciphertext. The physical location of that ciphertext is, by design, an irrelevance for the security of the material: a service that holds no decryption keys cannot disclose the contents in any circumstance — whether by breach, by acquisition, or by error.

1. The threat model is set out in concrete terms in §II below; the reader anxious about what the server can and cannot see is invited to skip ahead.
2. See, for instance, the long-running discussion of “bit rot” and format migration in the digital curation literature; the present author offers no original contribution to that debate.

II. · What this is, in concrete terms

Private Archive is, in essence, four well-understood pieces of software arranged carefully:

Client-side encryption: The Restic backup tool encrypts your files locally with a key only you possess. Deduplication and integrity verification happen on already-encrypted data. The server stores opaque ciphertext and nothing else; the keys never leave your hardware.
Tor transport: The client communicates with our server exclusively over Tor. We do not learn your IP address, your institution, or your network topology. We could not log it if we wished to.
Monero settlement: Billing is conducted in Monero (XMR), a privacy-preserving cryptocurrency. There is no card on file, no recurring charge, and no payment processor in the loop who knows what you are buying.
mTLS authentication: Your account is an X.509 client certificate. There is no username, no password, no email address, and no recovery procedure. The certificate is the account; lose it and the data, though intact on disk, is yours alone to mourn.³

3. This is, deliberately, the same trust model under which a cryptographic wallet operates. Custody is the price of confidentiality.

III. · On long-horizon preservation

It would be dishonest to present this service as a solution to the durability problem set out above. It is not. It is one piece of a preservation strategy, and a deliberately narrow piece at that. What it offers is the following: an offsite copy of encrypted material whose readability is contingent only upon the researcher’s continued custody of the key, and not upon the continued goodwill, solvency, or jurisdictional cooperation of any operator — ourselves included.

That is a different proposition from the work of an institutional repository, and not a substitute for it. A curated repository attends to format migration, descriptive metadata, citation infrastructure, and the human labour of stewardship. We attend to none of those things. The reader is urged to treat Private Archive as a confidentiality-preserving offsite copy alongside whatever curated deposit their institution or funder requires — not in place of it.

IV. · What it is not

An honest description of any tool must include the work it declines to do. Private Archive is not:

A substitute for your institution’s preservation programme. If your university or funder requires deposit in a curated repository, that obligation is unaffected by what you do here.
A citable persistent identifier. We issue no DOIs, no Handles, and no ARKs. Material stored here is not addressable for the purposes of scholarly citation.
A retention manager. We will not remind you to verify your backups, rotate your certificate, or migrate file formats. You remain responsible for your own retention and curation strategy.
An ethics or compliance authority. We make no claims about whether storing a particular dataset here satisfies your IRB, REC, or data-protection obligations — those determinations are yours to make in consultation with your institution.

V. · Settlement

Settlement is in Monero, on a pay-as-you-go basis. Funded balances are consumed by the second of storage; refills are user-initiated. There is no subscription, no minimum commitment, and no continuing instrument on file.

A balance, once exhausted, lapses; the obligation to maintain it rests with the user, as does the obligation to keep an additional copy of any material whose loss would be material.

VI. · How it fits a research workflow

Private Archive is not the first place a paper goes, nor the last. It is a quiet adjunct to whatever else you already do. In practice, colleagues have found it suitable for:

Interview audio under ethics restrictions. Recordings encrypted at rest before they ever touch external infrastructure; the only key remains on your laptop.
Draft manuscripts. Working copies of chapters and articles that you would prefer not to entrust to commercial document services.
Dataset working copies. Snapshots of in-progress data that have not yet earned a place in a curated repository.
Code-and-data reproducibility snapshots. Tagged bundles of analysis scripts together with the precise inputs they were run against, kept for the day a reviewer asks.

VII. · Download — v0.1.0

The client is open source and built reproducibly. Verify each archive against SHA256SUMS before installation. The source archive is offered alongside the binaries so that the encryption may be inspected and the builds reproduced by any reader so inclined.⁴

privatearchive-darwin-arm64.dmg macOS — Apple Silicon
privatearchive-darwin-amd64.dmg macOS — Intel
privatearchive-linux-amd64.tar.gz Linux — amd64
privatearchive-linux-arm64.tar.gz Linux — arm64
privatearchive-windows-amd64.zip Windows — amd64
privatearchive-source-v0.1.0.tar.gz Source archive — for independent verification of the encryption
SHA256SUMS checksums for the above

4. The reader is, of course, under no obligation to do so; but a service that asks you to entrust it with encrypted research material ought, at minimum, to publish the source by which that encryption is performed.