Using 7z for strong encryption in ZIP files

Principal author:
John L. Clark


Some situations may require strong encryption in ZIP files, but the common zip utility available on GNU systems does not support strong encryption. Thankfully, 7-Zip and P7ZIP are Free Software projects that fill this niche. This essay provides a brief overview of how to find and use 7z, which both projects provide, for this purpose.

Apparently, it's not good enough to first create a ZIP file and then encrypt it independently using a tool designed specifically for encryption, such as GPG or OpenSSL; some proprietary vendors decided they wanted strong encryption supported directly in ZIP files. What should you do if you don't have or want one of these pieces of proprietary software, but you need to use this heterofunctional format? The short answer is to use 7-Zip, and more specifically, on non-Windows systems, to use the P7ZIP port.

I recently came across a situation where a particular vendor (in this case, the ACC NCDR® CathPCI Registry® submission process) required submitting ZIP archives with AES-256 encryption. I thought they meant creating a ZIP archive, and then encrypting it with AES-256. I burned a fair bit of time before I realized that what they really wanted was this special type of ZIP archive with its own strong encryption. I burned through even more time finding a piece of Free Software that I could use to create these encrypted ZIP archives: 7-Zip.

Conveniently, there is also a port of 7-Zip for non-Windows systems called P7ZIP that I could use under Linux. It was not installed by default on my Linux system, but I could select it from my package manager. If it is not available in your package manager, you can easily install it from a source or binary package, which are available from the P7ZIP SourceForge page.

Using P7ZIP is easy, although invoking it is a bit idiosyncratic when compared with most GNU utilities. Here is how I created a ZIP archive with integrated AES256 encryption, based on a passphrase:

$ 7z a -tzip '-pyour passphrase here' -mem=AES256 \ list-of-archive-contents

The first argument is the subcommand; in this case it is a, which adds items to a (potentially new) archive. Note how option arguments must be included immediately after the option, which is why both the -p option and the corresponding passphrase are together placed in quotes, so that the passphrase can contain special characters. Full documentation is included with the application, and is referenced from its man page; please see that documentation for a full list of available subcommands and options.

This page was last modified on 2010-05-15 12:02:00-04:00.

This page was first published on .

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

See the version of this page with comments enabled to read or add comments.