diff --git a/bin/portzap b/bin/portzap
index 0918a13..f69b78c 100755
--- a/bin/portzap
+++ b/bin/portzap
@@ -51,6 +51,10 @@ case $1 in
         require_membership_of _portzap
         doas -u _portzap "${libexec}"/portzap-pull "${gitdir}" "${branch}"
         ;;
+    "erase")
+        require_membership_of _portzap
+        doas -u _portzap "${libexec}"/portzap-erase "${gitdir}" "${installdir}"
+        ;;
     "install")
         require_root
         require_dependency "git doas"
@@ -67,6 +71,7 @@ case $1 in
         printf "  clone    Clone the hardenedbsd ports tree.\n"
         printf "  pull     Pull updates from the hardenedbsd ports tree.\n"
         printf "  install  Install the ports tree into /usr/ports.\n"
+        printf "  erase    Erase /usr/ports/ and /home/_portzap/ports/.\n"
         printf "  setup    Add the _portzap user, group and home directory.\n"
         ;;
 esac
diff --git a/libexec/portzap/portzap-erase b/libexec/portzap/portzap-erase
new file mode 100644
index 0000000..a5eb15b
--- /dev/null
+++ b/libexec/portzap/portzap-erase
@@ -0,0 +1,38 @@
+#!/bin/sh -e
+
+##
+# variables
+gitdir=$1
+installdir=$2
+
+##
+# main
+printf "[-] Are you sure ? \n"
+printf "[-] These directories will be erased:\n"
+printf "    [*] ${gitdir}\n"
+printf "    [*] ${installdir}\n"
+printf "[y|n] "
+while true; do
+    read r
+    if [ "${r}" = "y" ]; then
+        break
+    elif [ "${r}" = "n" ]; then
+        printf "[-] Nothing to do\n"
+        exit
+    else
+        printf "[-] '${r}' is not a valid option.\n"
+        printf "[y|n] "
+    fi
+done
+for dir in "${gitdir}" "${installdir}"; do
+    printf "${dir}  "
+    find "${dir}" \
+        -maxdepth 1 \
+        \! -name "." \
+        \! -name ".." \
+        \! -name "ports" \
+        -exec printf . \; \
+        -exec rm -rf "{}" \;
+    echo
+done
+printf "[-] Done\n"
diff --git a/libexec/portzap/portzap-install b/libexec/portzap/portzap-install
index ccf1190..234cbfa 100755
--- a/libexec/portzap/portzap-install
+++ b/libexec/portzap/portzap-install
@@ -58,6 +58,7 @@ umask u=rwX,g=rwX,o=
 cd "${gitdir}"
 set +x
 run_install "-d" "${installdir}"
+chmod u=rwx,g=rwx,o= "${installdir}"
 if [ -e "${revfile}" ]; then
     perform_update
 else
diff --git a/share/portzap/doas.conf b/share/portzap/doas.conf
index 73e1193..189aa83 100644
--- a/share/portzap/doas.conf
+++ b/share/portzap/doas.conf
@@ -2,6 +2,7 @@
 # portzap
 permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-clone
 permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-pull
+permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-erase
 permit nopass root as _portzap cmd /usr/local/libexec/portzap/git-changed-files
 permit nopass root as _portzap cmd /usr/local/libexec/portzap/git-removed-files
 permit nopass root as _portzap cmd /usr/local/libexec/portzap/git-rev