Sealrepo
Sign inStart free
Free, open-source CLI · per-seat Team plan

End-to-end encrypted
source control.

Without changing how you use Git. Sealrepo encrypts your source before it touches the repo — so a leaked token, a contractor, or an AI indexing run sees only opaque bytes. Your team still branches, merges, and pushes exactly the way they do today.

AES-256-GCMZero-knowledgeMIT-licensed CLISelf-hostable
~/my-app — sealrepo
What lands in gitplain text
src/auth.ts
src/billing.ts
lib/db.ts
.env
The problem

What an AI sees in your repo

The directory structure alone reveals everything. Sealrepo wraps it in random bytes.

Before — typical private repo
my-billing-service/
├── src/
│   ├── stripeAdapter.ts
│   ├── customerService.ts
│   └── controllers/
├── package.json
│   "stripe": "^14.0.0"
│   "twilio": "^4.0.0"
├── .env.example
└── README.md
    "# Internal Billing Service"
After — sealed with Sealrepo
my-billing-service/
├── vendor/
│   ├── _01/
│   │   └── _8a3f9c1e2d4b
│   ├── _0d/
│   │   └── _1f1a70fe30a4
│   ├── _15/
│   │   └── _342d9c961c89
│   └── … (random binary blobs)
├── package.json
│   {"name":"app"}
└── .gitignore
Team workflow · merge driver in beta

Works with the Git you already use

Sealrepo sits underneath Git, not in front of it. Your team keeps its branches, pull requests, and CI — the encryption is invisible.

Branch & merge as usual

Sealed blobs commit and push cleanly. A Sealrepo merge driver resolves conflicts on the encrypted manifest for you, so two teammates editing the same file Just Works.

One-command onboarding

A new teammate runs sealrepo install-hook once. From then on, checkouts, merges, and pulls stay in sync automatically — no manual lock/unlock ceremony.

CI runs untouched

Short-lived deploy tokens unlock just long enough to build, then expire. Your existing pipeline scripts don't change.

Why teams choose it

Built for developers who keep secrets

The CLI is free and open source. The dashboard adds team control.

AES-256-GCM encryption

Every file is sealed with authenticated encryption. Tampering detected. No metadata, no headers, no file extensions — just opaque binary blobs.

Passphrase + recovery code

You hold the key. We never see it. Lose your passphrase? Use your 30-character recovery code. Lose both? Even we can't read it.

Drift detection

Pre-commit hook warns when your unlocked tree diverges from the locked snapshot. Never commit a stale vault again.

Git-native

Sealed blobs commit cleanly. Restore with one command on your laptop or CI. Your deploy pipeline runs untouched.

Team key sharing

Invite teammates. Each member's wrapped key envelope lives in our zero-knowledge store. Revoke access with one click.

Panic lock

Closing your laptop in a coffee shop? One command re-locks and wipes plaintext. Or trigger it remotely from the dashboard.

Pro feature

Hand a contractor a key.
Take it back at any moment.

Generate a temporary access code from your dashboard. Set an expiry, an auto-lock time, and Strict Mode. If your developer ever turns rogue or you change your mind — one click revokes their access. Next time their machine comes online, their copy re-locks itself.

Time-boxed Auto-lock Strict mode Revocable
Temporary access · billing-servicelive
Developer[email protected]
CodeSC-9KQ4-2HM3-Z7X8-PYR1
ExpiresMay 20, 2026 · 6:00 PM
Auto-lockEnabled · at expiry
Strict modeOn · 30 min offline
Status● Active
Issued 2 mins agoRevoke now
How it works

Four commands. Nothing to learn.

The whole flow takes 20 seconds.

Step 11
$ sealrepo init

Auto-detects your stack. Generates your passphrase + recovery code.

Step 22
$ sealrepo lock

Encrypts every source file. Replaces them with opaque binary blobs.

Step 33
$ git push

Your repo only ever contains the sealed vault. Commit and push freely.

Step 44
$ sealrepo unlock

On any trusted machine: enter your passphrase, get your real source back.

Pricing

Simple pricing

The CLI is free forever. The Team plan adds the hosted dashboard, billed per seat.

Free CLI

$0forever, open source
  • Unlimited projects
  • Unlimited files
  • Passphrase + recovery code
  • All ecosystem presets
  • Drift detection
  • Local sessions
  • Community support
Install the CLI

Team

Most popular
$20/seat/monthbilled monthly · cancel any time
  • Everything in Free
  • Temporary access codes
  • Auto-lock & Strict Mode
  • Web dashboard + audit log
  • Team key sharing with roles
  • Cloud key escrow
  • CI/CD short-lived tokens
  • Email support
Start the Team plan
Questions

Frequently asked

If I lose my passphrase, can Sealrepo recover it?+

No. We never see your passphrase or the master key. You'll need your recovery code (printed during init). If you lose both, your sealed code is unrecoverable — that's the point. Team-plan users can opt into cloud key escrow.

Can a rogue developer keep my code after I revoke?+

If they already copied the unlocked files outside the project, no software can erase that. What Sealrepo guarantees is that they can never unlock future versions, and on their next online check their local vault re-locks itself.

Does this work with my CI/CD?+

Yes. The Team plan gets short-lived deploy tokens that unlock just long enough to build and push, then expire. No long-lived secrets in your CI.

Will it work with any language or framework?+

Yes. Sealrepo treats source files as bytes — it doesn't care if it's TypeScript, Python, Rust, Go, Ruby, PHP, or Java. Built-in presets cover all major ecosystems.

Is this DRM?+

No. Sealrepo protects code at rest in your repo. Once unlocked, your code is just files on disk — runnable, editable, copyable. The protection is around the repository, not the running program.

Ready when you are

Stop assuming your private repo stays private.

Install the CLI in 10 seconds. Create your first vault in 30. Sleep better tonight.

Start freeSign in