diff --git a/common/bin/encrypted-dir-archive b/common/bin/encrypted-dir-archive
new file mode 100755
index 0000000..c205dda
--- /dev/null
+++ b/common/bin/encrypted-dir-archive
@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+usage() {
+	# shellcheck disable=SC2016
+	echo 'encrypted-dir-archive <dir>
+
+This script streams an gpg-encrypted byte-stream of a zstd-compressed \
+tarball this can be redirected to a file for an encrypted backup.
+
+Very roughly, this is a small wrapper around `tar cf . | zstd | gpg --encrypt` \
+so you can go backwards to reverse the process `gpg --decrypt | zstd -d | tar xf`.
+
+You can stream over ssh as a remote backup by piping to something like this: \
+`ssh "$HOST" "cat - > '\$REMOTE_FILE'"`'.
+}
+
+if [ "$1" = '-h' ] || [ "$1" = "--help" ]; then
+	usage
+	exit 0
+fi
+
+dir="$1"
+
+if [ -z "$dir" ]; then
+	echo "no directory argument provided" >&2
+	usage
+	exit 1
+fi
+
+if [ ! -d "$dir" ]; then
+	echo "'$dir' is not a directory" >&2
+	usage
+	exit 2
+fi
+
+# go to directory containing target directory
+parent="$(dirname "$dir")"
+pushd "$parent" >/dev/null || { echo "failed to cd to '$parent'" >&2; exit 3; }
+
+# https://stackoverflow.com/a/30520299
+if [ -t 1 ]; then
+	echo "not dumping encrypted data to terminal"
+	exit 4
+fi
+
+tar cf - "$(basename "$dir")" \
+	| zstd --ultra -T2 -22 \
+	| gpg --encrypt --recipient daniel@lyte.dev
+
+popd || echo "failed to return to original directory" >&2