tzap 0.1.8

Fast encrypted archive CLI with built-in recovery and safe restores
# tzap

Fast archives that can heal.

`tzap` is the archive CLI for people who want backups to be private when needed,
fast, recoverable, and easy to restore. It packs zstd compression, optional
authenticated encryption, safe extraction defaults, multi-volume recovery, and
instant selected-file restores into one practical command.

This release is the v44-compliant reference CLI for documented supported
workflows, with v43 reader compatibility.

Use it for project folders, private datasets, media collections, cold storage,
cloud object storage, and long-lived backup sets where "just zip it" is not
enough.

## Why use it

- **Fast archives.** Rust, zstd, and indexed metadata keep large backups moving.
- **Private or public archives.** Use passphrase/raw-key encryption for private
  archives, or `--no-encryption` for explicit plaintext archives.
- **Self-healing archives.** Recovery data can repair accidental damage within
  the budget chosen at create time.
- **Instant targeted restores.** Restore one file from a large archive without
  unpacking everything else.
- **Split-volume storage.** Write deterministic volume files for drives, discs,
  and cloud object storage.
- **Signed roots.** Ed25519 and X.509 RootAuth workflows are available when
  archives need origin authentication.

## Install

From Homebrew:

```sh
brew tap tzap-org/tzap
brew install tzap
```

From crates.io:

```sh
cargo install tzap
```

The CLI requires Rust 1.85 or newer when installing from source.

## Quick start: passphrase archive

Create an encrypted archive from a passphrase:

```sh
export TZAP_PASSPHRASE='correct horse battery staple'
printf '%s\n' "$TZAP_PASSPHRASE" | \
  tzap create --password-stdin \
  -o backup.tzap \
  ./project
```

Inspect and verify it:

```sh
printf '%s\n' "$TZAP_PASSPHRASE" | tzap list --password-stdin backup.tzap
printf '%s\n' "$TZAP_PASSPHRASE" | tzap verify --password-stdin backup.tzap
```

Restore everything:

```sh
printf '%s\n' "$TZAP_PASSPHRASE" | \
  tzap extract --password-stdin --directory restored backup.tzap
```

Restore one file:

```sh
printf '%s\n' "$TZAP_PASSPHRASE" | \
  tzap extract --password-stdin --stdout backup.tzap project/readme.txt
```

## Quick start: key file archive

```sh
tzap keygen --output project.key
tzap create --keyfile project.key -o project.tzap ./project
tzap verify --keyfile project.key project.tzap
tzap list --keyfile project.key project.tzap
tzap extract --keyfile project.key -C restored project.tzap
```

## Quick start: plaintext archive

```sh
tzap create --no-encryption -o public.tzap ./public-project
tzap verify public.tzap
tzap list public.tzap
tzap extract -C restored public.tzap
```

## Recoverable multi-volume archive

Create three volumes that can survive one missing volume:

```sh
tzap create \
  --keyfile project.key \
  --volumes 3 \
  --volume-loss-tolerance 1 \
  -o project.tzap \
  ./project
```

This writes:

```text
project.vol000.tzap
project.vol001.tzap
project.vol002.tzap
```

Verify or restore from any discovered volume:

```sh
tzap verify --keyfile project.key project.vol000.tzap
tzap extract --keyfile project.key --directory restored project.vol001.tzap
```

## Signed RootAuth workflow

```sh
tzap signing-keygen --secret-output root.signing.hex --public-output root.public.hex
tzap create --keyfile project.key --signing-key root.signing.hex -o signed.tzap ./project
tzap verify --keyfile project.key --trusted-public-key root.public.hex signed.tzap
tzap verify --public-no-key --trusted-public-key root.public.hex signed.tzap
```

X.509 RootAuth signing is available with `--signing-cert`,
`--signing-private-key`, and optional `--x509-signature-scheme`.

## Safety defaults

`tzap extract` validates archive paths and does not overwrite existing files
unless `--overwrite` is supplied. Keep passphrases and key files separate from
archive data; raw-key archives require the original 32-byte key.

## Trust material

- Security model: <https://github.com/tzap-org/tzap/blob/main/public-docs/tzap-security-model.md>
- Recovery matrix: <https://github.com/tzap-org/tzap/blob/main/public-docs/tzap-recovery-matrix.md>
- Benchmark results: <https://github.com/tzap-org/tzap/blob/main/public-docs/tzap-benchmark-results.md>
- CLI reference: <https://github.com/tzap-org/tzap/blob/main/public-docs/tzap-cli-reference.md>
- Operational boundaries: <https://github.com/tzap-org/tzap/blob/main/public-docs/tzap-operational-boundaries.md>
- v44 compliance traceability: <https://github.com/tzap-org/tzap/blob/main/public-docs/traceability/README.md>

## More information

- Repository: <https://github.com/tzap-org/tzap>
- Format specification: <https://github.com/tzap-org/tzap/blob/main/specs/tzap-format-revisedv44.md>
- Library crate: <https://crates.io/crates/tzap-core>
- Signing plugin crate: <https://crates.io/crates/tzap-plugin-signing>