Back up your master key, the zero-knowledge way
Escrow means letting someone hold a sealed copy of something for safekeeping. Here, it uploads an encrypted blob of your project master key to sealrepo.dev so you can recover after a lost laptop — without us ever being able to read it. The blob is wrapped with a key derived (via scrypt) from a SEPARATE recovery passphrase you choose — not your project passphrase. We see ciphertext, never the key.
How it works
The project must be linked first (sealrepo link). When you run sealrepo escrow enable, the CLI:
- Asks for your project passphrase once, just to prove you can unlock the vault and to load the master key locally.
- Asks you to choose a separate recovery passphrase— this is the one you'll type on a new machine. Store it somewhere different from your project passphrase.
- Derives a wrapping key from that recovery passphrase using scrypt (N=2¹⁷, r=8, p=1) and a fresh random salt.
- Encrypts your project master key with AES-256-GCM under that wrapping key, and uploads only the ciphertext + scrypt salt to sealrepo.dev. We never see either passphrase, we never see the master key.
Anyone (including us) who steals the blob still can't read it without your recovery passphrase, and brute-forcing scrypt at those parameters on a strong passphrase costs roughly the GDP of a small country.
Enable escrow
From inside a linked repo:
Enabling escrow$sealrepo escrow enableFirst, prove you can unlock this vault.Project passphrase: ●●●●●●●●●●●●Now choose a separate recovery passphrase for cloud escrow.Recovery passphrase: ●●●●●●●●●●●●●●●●Confirm recovery passphrase: ●●●●●●●●●●●●●●●●✓Cloud escrow enabled.Recover on a new machine with: sealrepo escrow recoverSee the status in the dashboard
On the project overview page, the Cloud key escrow card shows what we hold: the fingerprint (a short ID derived from the encrypted blob — it identifies the blob without revealing anything about the key), when it was uploaded, which machine uploaded it, and a button to disable it.
We only show metadataThe card doesn't show your key — we don't have it. It only shows the public fingerprint of the ciphertext, the timestamp, and the hostname you uploaded from (so you can spot uploads from machines you don't recognize).Recover on a new machine
New laptop, fresh OS, you've lost the old one. You install & sign in again, then clone the repo (that brings the encrypted vault and keystore back from git) and run recover with your recovery passphrase:
On the replacement machine$git clone [email protected]:acme/billing.git$cd billing$sealrepo escrow recoverRecovery passphrase: ●●●●●●●●●●●●●●●●✓Recovery successful. Session cached — you can now run `sealrepo unlock`.$sealrepo unlock✓unlocked 137 filesRecover restores the key, not the repoEscrow brings back the master key (it caches an unlock session). The encrypted files and keystore come from git, so you must clone the repo first — recover on a directory with no vault will tell you to clone. If the recovery passphrase is wrong (or the blob was tampered with), decryption fails cleanly; scrypt is deliberately slow, so each attempt costs a second or two.Disable escrow
If you ever want us to forget the blob entirely — for compliance, paranoia, or because you've switched to a different recovery scheme:
Disabling escrow$sealrepo escrow disable✓Cloud escrow disabled. Server-side blob deleted.Keep your recovery codeDeleting the escrow blob is immediate and permanent. Make sure you still have your recovery code (or project passphrase) somewhere safe before you disable — escrow was your cross-machine safety net.You can also click Disable escrow on the project overview card — same effect.