tzap 0.1.1

Command-line tool for creating, listing, verifying, and extracting tzap archives
tzap-0.1.1 is not a library.

tzap

tzap is the command-line interface for the tzap v0.41 archive format. It creates, lists, verifies, and extracts encrypted archives with authenticated metadata, zstd compression, safe extraction defaults, and optional multi-volume recovery.

Install

From Homebrew:

brew tap frankmanzhu/tzap https://github.com/frankmanzhu/tzap
brew install frankmanzhu/tzap/tzap

From crates.io:

cargo install tzap

The CLI requires Rust 1.85 or newer when installing from source.

Quick Start

Create a raw key and archive a directory:

tzap keygen --output project.key
tzap create --keyfile project.key -o project.tzap ./project

Inspect and verify the archive:

tzap list --keyfile project.key project.tzap
tzap verify --keyfile project.key project.tzap

Create a signed v41 RootAuth archive:

tzap signing-keygen --secret-output root.signing.hex --public-output root.public.hex
tzap create --keyfile project.key --signing-key root.signing.hex -o signed.tzap ./project
tzap verify --keyfile project.key --trusted-public-key root.public.hex signed.tzap
tzap verify --public-no-key --trusted-public-key root.public.hex signed.tzap

The CLI composes tzap-core with tzap-plugin-signing for Ed25519 RootAuth signing. Library users can choose tzap-core for archive workflows or compose it with tzap-plugin-signing for signed RootAuth workflows.

Extract files safely into a destination directory:

tzap extract --keyfile project.key --directory restored project.tzap

Passphrase mode is available for scripted workflows:

printf '%s\n' "$TZAP_PASSPHRASE" | \
  tzap create --password-stdin -o secrets.tzap ./secrets

Multi-Volume Recovery

tzap create \
  --keyfile project.key \
  --volumes 3 \
  --volume-loss-tolerance 1 \
  -o project.tzap \
  ./project

tzap verify --keyfile project.key project.tzap.000 project.tzap.001 project.tzap.002

Safety

tzap extract applies safe path validation and overwrite protection; --overwrite enables explicit replacement. Keep passphrases and raw keyfiles separate from archive data; raw-key archives require the original 32-byte key.

More Information