Sealrepo
Sign inStart free
Recovery & safety

You always own your code

Sealrepo encrypts your source, but the keys are yours — derived from your passphrase, on your machine. This page walks through exactly why your access to your own code never depends on our servers, your subscription, or your account, and what you're responsible for keeping safe in exchange.

Decryption happens on your machine, not ours

When you run sealrepo unlock, the key that decrypts your files is derived from your passphrase, locally. The encrypted files live in your own Git repo, wherever you host it. Sealrepo's servers coordinate team features — sharing, revocation, audit — but they never hold your plaintext, your passphrase, or your keys, so they are never a required ingredient for decrypting your own code.

Day to day, the CLI signs in so team access and revocation work. But the cryptography itself is local, and you always have offline paths to your data (below) that need no account, no network, and no subscription. Your access to your own code is a property of the math and the secrets you hold — not of our uptime or your billing status.

The recovery code: no account, no network

At sealrepo init you were shown a recovery code — a second, independent key wrap created alongside your passphrase. Unlocking with it is the one sealrepo command that works with no sign-in and no internet connection at all:

Fully offline — works signed out, on a plane, anywhere
$sealrepo unlock --recovery
Recovery code: K8MN4-7PQR2-T5VWX-3YZ9A-BCD6E-FGH2J
unlocked 137 files

That means a clone of your repo plus your recovery code is, on its own, enough to get every line of your source back as plaintext. See Passphrase & recovery for rotation and lost-passphrase walkthroughs.

The recovery bundle: a self-contained copy of everything you need

For owners who want a belt and suspenders, sealrepo export-recovery-bundle writes a single, self-contained bundle you can store anywhere — a USB drive, a NAS, cloud storage, a safe — and use to decrypt your vault independently, on any machine, with nothing but the bundle and one of your secrets:

In your repo
$sealrepo export-recovery-bundle --include-ciphertext
Recovery bundle written to ./sealrepo-recovery-bundle
decrypt.js standalone decryptor (runs with Node alone)
lib/ a self-contained copy of Sealrepo's crypto
keys/ salt + recovery-wrapped key (useless without your code)
ciphertext/ a copy of your encrypted blobs (so this bundle alone restores everything)
README.md step-by-step instructions, readable by a human in 10 years
Includes your encrypted blobs: this bundle alone can restore everything — offline, no account, no network.

What's inside, and why each piece matters:

  • Encrypted key material— your vault's salt and your master key wrapped under your recovery code. Encrypted at rest; useless to anyone without that code.
  • The vault manifest — which files are encrypted and the exact cipher parameters used, so decryption never depends on guessing settings.
  • A standalone decryptor (decrypt.js) — a script that runs with plain Node.js. It doesn't need the sealrepo CLI installed, doesn't need an account, and never touches the network.
  • Plain-text instructions— so the person restoring (you in five years, or your estate's technical contact) can follow along without prior context.

To use it: open the bundle folder on any machine with Node.js and run the decryptor with your recovery code —

Restoring from the bundle — any machine with Node.js, no CLI, no account
$cd sealrepo-recovery-bundle
$node decrypt.js --out ./restored
Enter your recovery code: ●●●●●●●●●●●●
Done. Restored 137 file(s) into "./restored". Your code was decrypted entirely on this machine.
Refresh it occasionally
The bundle is a snapshot of your keys, not your code — your repo already carries the encrypted files. Re-export after you re-init a vault or change which recovery factors exist, and it stays valid for every commit of that vault, past and future.

Canceling a paid plan never locks you out

The Team plan pays for hosted collaboration: sharing access with teammates, revocation, the audit log, cloud key escrow, CI tokens. If you cancel, those hosted features stop — your ability to decrypt your own code does not. Lock, unlock, recovery unlock, and the recovery bundle are all part of the free CLI and run on your machine. There is no plan state, grace period, or account standing that gates your own passphrase working on your own vault.

Your side of the deal

Zero-knowledge cuts both ways. Because we never see your keys, we can protect you from everyone — including from us — but we cannot rescue you from losing your own secrets. Concretely:

  • Keep your passphrase in a password manager.
  • Keep your recovery codesomewhere separate and offline — it's shown once at init, and anyone who holds it can unlock the vault.
  • Consider exporting a recovery bundle and, on Team plans, cloud key escrow as additional factors.
If every factor is lost, the data is gone
If you lose your passphrase and your recovery code andevery bundle or escrow you set up, the encrypted files cannot be decrypted — by you, by us, or by anyone else. That is not a support-ticket problem we're declining to solve; it is the mathematical price of a system where the server can never read your code. Keep at least two factors, stored in different places.

Frequently asked questions

If I cancel my paid plan, can I still decrypt my code?

Yes. Locking and unlocking are free CLI features that run on your machine. Canceling a Team plan turns off hosted features — sharing, the dashboard, cloud escrow, CI tokens — but it never affects your ability to unlock your own vaults with your passphrase or recovery code.

Can Sealrepo decrypt my code or reset my passphrase for me?

No. Sealrepo is zero-knowledge: the server never sees your plaintext, your passphrase, or your keys, so it has nothing it could use to decrypt your code or reset your passphrase. That is by design — it is also why you must keep your own recovery factors safe.

Do I need to be online or signed in to get my code back?

No. `sealrepo unlock --recovery` works fully offline with no account, and a recovery bundle created with `sealrepo export-recovery-bundle` lets you decrypt the vault independently from any machine. Your access never depends on our servers being reachable.

What happens if I lose my passphrase AND my recovery code?

If you lose every recovery factor — passphrase, recovery code, and any escrow or recovery bundle you set up — the data is unrecoverable. No one, including Sealrepo, can decrypt it. This is the honest cost of zero-knowledge encryption: keep at least two factors stored safely in separate places.

Is the recovery bundle safe to store in cloud storage or on a USB drive?

The bundle contains only encrypted key material and instructions — no plaintext keys and no plaintext code. Opening it still requires your passphrase or recovery code. Storing it in cloud storage or a drawer is reasonable; just don't store your recovery code in the same place.

Next
Passphrase & recovery — the full guide