tzap 0.1.10

Fast encrypted archive CLI with built-in recovery and safe restores
tzap-0.1.10 is not a library.

tzap

Fast archives that can heal.

tzap is the archive CLI for people who want backups to be private when needed, fast, recoverable, and easy to restore. It packs zstd compression, optional authenticated encryption, safe extraction defaults, multi-volume recovery, and instant selected-file restores into one practical command.

This release is the v44-compliant reference CLI for documented supported workflows. Legacy v43 inputs fail closed with an unsupported revision error.

Use it for project folders, private datasets, media collections, cold storage, cloud object storage, and long-lived backup sets where "just zip it" is not enough.

Why use it

  • Fast archives. Rust, zstd, and indexed metadata keep large backups moving.
  • Private or public archives. Use passphrase/raw-key encryption for private archives, or --no-encryption for explicit plaintext archives.
  • Self-healing archives. Recovery data can repair accidental damage within the budget chosen at create time.
  • Instant targeted restores. Restore one file from a large archive without unpacking everything else.
  • Split-volume storage. Write deterministic volume files for drives, discs, and cloud object storage.
  • Signed roots. Ed25519 and X.509 RootAuth workflows are available when archives need origin authentication.

Install

From Homebrew:

brew tap tzap-org/tzap
brew install tzap

From crates.io:

cargo install tzap

The CLI requires Rust 1.85 or newer when installing from source.

Quick start: passphrase archive

Create an encrypted archive from a passphrase:

export TZAP_PASSPHRASE='correct horse battery staple'
printf '%s\n' "$TZAP_PASSPHRASE" | \
  tzap create --password-stdin \
  -o backup.tzap \
  ./project

Inspect and verify it:

printf '%s\n' "$TZAP_PASSPHRASE" | tzap list --password-stdin backup.tzap
printf '%s\n' "$TZAP_PASSPHRASE" | tzap verify --password-stdin backup.tzap

Restore everything:

printf '%s\n' "$TZAP_PASSPHRASE" | \
  tzap extract --password-stdin --directory restored backup.tzap

Restore one file:

printf '%s\n' "$TZAP_PASSPHRASE" | \
  tzap extract --password-stdin --stdout backup.tzap project/readme.txt

Quick start: key file archive

tzap keygen --output project.key
tzap create --keyfile project.key -o project.tzap ./project
tzap verify --keyfile project.key project.tzap
tzap list --keyfile project.key project.tzap
tzap extract --keyfile project.key -C restored project.tzap

Quick start: plaintext archive

tzap create --no-encryption -o public.tzap ./public-project
tzap verify public.tzap
tzap list public.tzap
tzap extract -C restored public.tzap

Recoverable multi-volume archive

Create three volumes that can survive one missing volume:

tzap create \
  --keyfile project.key \
  --volumes 3 \
  --volume-loss-tolerance 1 \
  -o project.tzap \
  ./project

This writes:

project.vol000.tzap
project.vol001.tzap
project.vol002.tzap

Verify or restore from any discovered volume:

tzap verify --keyfile project.key project.vol000.tzap
tzap extract --keyfile project.key --directory restored project.vol001.tzap

Signed RootAuth workflow

tzap signing-keygen --secret-output root.signing.hex --public-output root.public.hex
tzap create --keyfile project.key --signing-key root.signing.hex -o signed.tzap ./project
tzap verify --keyfile project.key --trusted-public-key root.public.hex signed.tzap
tzap verify --public-no-key --trusted-public-key root.public.hex signed.tzap

X.509 RootAuth signing is available with --signing-cert, --signing-private-key, and optional --x509-signature-scheme.

Safety defaults

tzap extract validates archive paths and does not overwrite existing files unless --overwrite is supplied. Keep passphrases and key files separate from archive data; raw-key archives require the original 32-byte key.

Trust material

More information