There is often a need to encrypt and/or password protect archive files. Whether you are using them to backup data or share it across the internet, you should take the necessary steps to protect your data. In this quick tip we will examine three ways to create an encrypted and password protected archive in Linux. We will also briefly discuss some pros and cons of each method.
Using tar and gpg to create a secured tar archive.
This is the most secure way of creating an encrypted / password protected compressed archive, it is also one of the more complicated. We will use the tar command to create an archive and pipe it to the gpg command for encryption and password protection. This example specifies the AES-256 encryption algorithm.
tar czvpf - file1.txt file2.pdf file3.jpg | gpg --symmetric --cipher-algo aes256 -o myarchive.tar.gz.gpg
After entering the above command you will be prompted for a passphrase.
After entering the passphrase you will be asked to repeat it. Then the archive will be created as an encrypted archive, using a secure algorithm and protected by your custom passphrase.
gpg -d myarchive.tar.gz.gpg | tar xzvf -
You will be prompted for the passphrase before the archive is extracted.
I like to always name these types of archives .tar.gz.gpg so I know how they were created. For this example we used tar, gzip and gpg. Also, it is important that you DO NOT forget the passphrase. If you do, there is no way to recover the data.
Use 7zip to create zip format archives with secure algorithms
This is just as secure as the first option since it supports the same AES-256 encryption algorithm, although it does require you put the passphrase or “secret” on the command line, which I am not a fan of. It is also not as convenient because most systems do not come with the P7zip package installed.
To install P7zip on Red Hat, or RH variants like CentOS or Fedora:
sudo yum -y install p7zip
or
sudo dnf -y install p7zip
On Debian based systems such as Ubuntu:
sudo apt-get install p7zip-full
To create the archive, use the command below, replace “PASSPHRASE” with your own secret passphrase.
7za a -tzip -pPASSPHRASE -mem=AES256 secure.zip file1.txt file2.pdf file3.jpg
Example output:
$ 7za a -tzip -pPASSPHRASE -mem=AES256 myarchive.zip file1.txt file2.pdf file3.jpg7-Zip (A) [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18
p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,8 CPUs)
ScanningCreating archive myarchive.zip
Compressing file1.txt
Compressing file2.pdf
Compressing file3.jpg
Everything is Ok
To extract the zip archive use the following:
7za e myarchive.zip
Use the zip command to create an encrypted archive
The zip command provides options to allow you to encrypt archives. It uses a known insecure PKZIP algorithm and also requires you to add your passphrase on the command line. The benefit of this method is both Linux and Windows folks can extract the archive without any additional software.
Simply add the --password option to the zip command like so:
zip --password PASSPHRASE myarchive.zip file1.txt file2.pdf file3.jpg
Remember to replace PASSPHRASE with your password.
Example output:
$ zip --password PASSPHRASE myarchive.zip file1.txt file2.pdf file3.jpg
adding: file1.txt (deflated 75%)
adding: file2.pdf (deflated 7%)
adding: file3.jpg (deflated 4%)
To extract the archive, use the normal unzip utility. The only difference is you will be asked for a password.
$ unzip myarchive.zip
Archive: myarchive.zip
[myarchive.zip] password:
inflating: file1.txt
inflating: file2.pdf
inflating: file3.jpg
Conclusion
So there you have my three favorite ways to created encrypted archives. There are plenty more ways to accomplish this (openssl, gpg-zip, bcrypt) and some are better than others. If you data is really important, I suggest you read up on the different algorithms and signing methods that are out there and decide for yourself which is right.
Whatever method you use it is important to NOT forget your passphrase.
Thank you for this article!
Thank you sir! How do I do incremental?
I am not sure what you mean by incremental. Do you mean like adding stuff to the archive after it's created?