There is often a need to encrypt and/or password protect archive files. Whether you are using them to backup data or share it across the internet, you should take the necessary steps to protect your data. In this quick tip we will examine three ways to create an encrypted and password protected archive in Linux. We will also briefly discuss some pros and cons of each method.

Using tar and gpg to create a secured tar archive.

This is the most secure way of creating an encrypted / password protected compressed archive, it is also one of the more complicated.  We will use the tar command to create an archive and pipe it to the gpg command for encryption and password protection. This example specifies the AES-256 encryption algorithm.

tar czvpf - file1.txt file2.pdf file3.jpg | gpg --symmetric --cipher-algo aes256 -o myarchive.tar.gz.gpg

After entering the above command you will be prompted for a passphrase.

Animated gif showing how to create an encrypted and password protected tar archive.

After entering the passphrase you will be asked to repeat it.  Then the archive will be created as an encrypted archive, using a secure algorithm and protected by your custom passphrase.

gpg -d myarchive.tar.gz.gpg | tar xzvf -

You will be prompted for the passphrase before the archive is extracted.

I like to always name these types of archives .tar.gz.gpg so I know how they were created.  For this example we used tar, gzip and gpg.  Also, it is important that you DO NOT forget the passphrase. If you do, there is no way to recover the data.

Use 7zip to create zip format archives with secure algorithms

This is just as secure as the first option since it supports the same AES-256 encryption algorithm, although it does require you put the passphrase or “secret” on the command line, which I am not a fan of.  It is also not as convenient because most systems do not come with the P7zip package installed.

To install P7zip on Red Hat, or RH variants like CentOS or Fedora:

sudo yum -y install p7zip

or

sudo dnf -y install p7zip

On Debian based systems such as Ubuntu:

sudo apt-get install p7zip-full

To create the  archive, use the command below, replace “PASSPHRASE” with your own secret passphrase.

7za a -tzip -pPASSPHRASE -mem=AES256 secure.zip file1.txt file2.pdf file3.jpg

Example output:

$ 7za a -tzip -pPASSPHRASE -mem=AES256 myarchive.zip file1.txt file2.pdf file3.jpg
7-Zip (A) [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,8 CPUs)
Scanning

Creating archive myarchive.zip
Compressing  file1.txt     
Compressing  file2.pdf     
Compressing  file3.jpg 

Everything is Ok

To extract the zip archive use the following:

7za e myarchive.zip

Use the zip command to create an encrypted archive

The zip command provides options to allow you to encrypt archives. It uses a known insecure PKZIP algorithm and also requires you to add your passphrase on the command line.  The benefit of this method is both Linux and Windows folks can extract the archive without any additional software.

Simply add the --password option to the zip command like so:

zip --password PASSPHRASE myarchive.zip file1.txt file2.pdf file3.jpg

Remember to replace PASSPHRASE with your password.

Example output:

$ zip --password PASSPHRASE myarchive.zip file1.txt file2.pdf file3.jpg
  adding: file1.txt (deflated 75%)
  adding: file2.pdf (deflated 7%)
  adding: file3.jpg (deflated 4%)

To extract the archive, use the normal unzip utility.  The only difference is you will be asked for a password.

$ unzip myarchive.zip
Archive:  myarchive.zip
[myarchive.zip] password:
  inflating: file1.txt              
  inflating: file2.pdf              
  inflating: file3.jpg

Conclusion

So there you have my three favorite ways to created encrypted archives.  There are plenty more ways to accomplish this (openssl, gpg-zip, bcrypt) and some are better than others.  If you data is really important, I suggest you read up on the different algorithms and signing methods that are out there and decide for yourself which is right.

Whatever method you use it is important to NOT forget your passphrase.

Resources