Leaderboard ad


How to Create an Encrypted (Password Protected) Tar or Zip Archive in Linux

Question sent in by Stephen from Pennsylvania.

Q: Without going into too much detail, I need to tar or zip some data files, have them encrypted and password protected.  Any ideas?

A: There are several ways to accomplish this task.  Some are easier than others.  Let's start with the most secure way, since that is my preferred method.

1) Using tar and gpg to create a secured tar archive.

This is the most secure way of creating an encrypted / password protected compressed archive, it is also one of the more complicated.  This example use AES-256 encryption algorithm.

tar czvpf - file1.txt file2.pdf file3.jpg | gpg --symmetric --cipher-algo aes256 -o myarchive.tar.gz.gpg
After entering the above command you will be prompted for a passphrase:  

Example output:

$ tar czvpf - file1.txt file2.pdf file3.jpg | gpg --symmetric --cipher-algo aes256 -o myarchive.tar.gz.gpg
Enter passphrase: 

After entering the passphrase you will be asked to repeat it.  Then the archive will be created as an encrypted archive, using a secure algorithm and protected by your custom passphrase.

To extract the archive use the following command:

gpg -d myarchive.tar.gz.gpg | tar xzvf -
You will be prompted for the passphrase before the archive is extracted.

NOTE: I like to always name these types of archives .tar.gz.gpg so I know how they were created.  For this example we used tar, gzip and gpg.  Also, it is important that you DO NOT forget the passphrase.

Check the tar and GnuPG manpages for more information.

2) Use 7zip to create zip format archives with secure algorithms. 

This is just as secure as the first option since it supports the same AES-256 encryption algorithm, although it does require you put the passphrase or "secret" on the command line, which I am not a fan of.  It is also not as convenient because most systems do not come with the P7zip package installed.

To install P7zip on Red Hat, or RH variants like CentOS or Fedora:

sudo yum -y install p7zip
On debian based systems such as Ubuntu:

sudo apt-get install p7zip-full
To create the  archive, use the command below, replace "PASSPHRASE" with your own secret passphrase.

 7za a -tzip -pPASSPHRASE -mem=AES256 secure.zip file1.txt file2.pdf file3.jpg
Example output:

$ 7za a -tzip -pPASSPHRASE -mem=AES256 myarchive.zip file1.txt file2.pdf file3.jpg

7-Zip (A) [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,8 CPUs)

Creating archive myarchive.zip

Compressing  file1.txt     
Compressing  file2.pdf     
Compressing  file3.jpg     

Everything is Ok

To extract the zip archive use the following:

7za e myarchive.zip
3) Use the zip command to create an encrypted archive.

The zip command provides options to allow you to encrypt archives. It uses a known insecure PKZIP algorithm and also requires you to add your passphrase on the command line.  The benefit of this method is both Linux and Windows folks can extract the archive without any additional software.

zip --password PASSPHRASE myarchive.zip file1.txt file2.pdf file3.jpg
Example output:

$ zip --password PASSPHRASE myarchive.zip file1.txt file2.pdf file3.jpg
  adding: file1.txt (deflated 75%)
  adding: file2.pdf (deflated 7%)
  adding: file3.jpg (deflated 4%)

To extract the archive, use the normal unzip utility.  The only difference is you will be asked for a password.

unzip myarchive.zip
Example output:

$ unzip myarchive.zip
Archive:  myarchive.zip
[myarchive.zip] password:
  inflating: file1.txt              
  inflating: file2.pdf              
  inflating: file3.jpg

So there you have my three favorite ways to created encrypted archives.  There are plenty more ways to accomplish this (openssl, gpg-zip, bcrypt) and some are better than others.  If you data is really important, I suggest you read up on the different algorithms and signing methods that are out there and decide for yourself which is right.

Whatever method you use it is important to NOT forget your passphrase.

1 comment: