How to prevent 7-Zip encrypted zip file passwords from being stored on the hard-drive?

I've encrypted a folder with 7-Zip 9.20, specifying 256-bit AES and a password, and the .zip file was created. But then, when I clicked on the zipped file, to my surprise, PeaZip 5.1.1, which was the registered program to open zip files, opened the file without prompting me for the password.

This means 7-Zip is storing my AES password somewhere on disk, and what is even worse, in a place where other programs can find it. This is inherently insecure. How can I disable this behavior?

Thanks.

Here is a picture of how I encrypted the file with 7-Zip:

enter image description here

And here is a picture of the dialog box (with an option for entering the keyfile) I get when I try to open any file in the .zip archive (a similar window is displayed when opening .7z files):

enter image description here

John Sonderson

Posted 2015-01-31T00:07:00.350

Reputation: 2 816

4And by opening you do mean unpacking, right? Because otherwise, the answer says it all: Metadata (like the list of files) is not encrypted. – Daniel B – 2015-01-31T00:43:43.843

1@DanielB Exactly. You can open an encrypted ZIP file. But to get to the data inside the ZIP file in any useful way you'll be prompted for a password. – misha256 – 2015-01-31T00:46:02.937

"This means 7-Zip is storing my AES password somewhere on disk" You do not seem to understand how encryption works; it'd be completely pointless to have the password stored anywhere to be accessed by third parties. – ElementW – 2015-01-31T14:56:00.417

The password isn't stored in the disk! The program simply reads the index and shows the file structure. When you try to access a file, it asks the password! This happens with .rar files too. – Ismael Miguel – 2015-01-31T16:08:31.737

Answers

7-zip does not store passwords on your computer, it does not have that feature.

Your issue is actually a limitation of the ZIP format when creating encrypted ZIP files. The data is encrypted, but not the file names. You can prove this by trying to extract the contents of the ZIP file. It will fail unless you specify the correct password.

If you want file names to be encrypted as well, I highly recommend 7-zip's 7z format, you'll see the option Encrypt file names becomes available.

misha256

Posted 2015-01-31T00:07:00.350

Reputation: 10 292

I've encrypted the data as above. I don't care about the filename: it would have to be unencrypted anyways as the OS needs to display the filename (e.g. MySecureZipFile.zip) on the desktop. My issue is that as you can see in the above screenshot, I have specified a password, as 7-Zip allowed me to for the .zip format, but then when I open it with PeaZip it doesn't ask me for it, just opens the file. Any idea why? – John Sonderson – 2015-01-31T00:40:43.270

I've tried the .7z format as well, as you suggested. The PeaZip application still opens the file even though I've specified a password. Have I done anything wrong? – John Sonderson – 2015-01-31T00:43:06.960

10You're misunderstanding my answer. An encrypted ZIP file can be opened without the password. The only time you'll need the password is to actually extract the files out of the ZIP file to use them. – misha256 – 2015-01-31T00:43:40.193

You're right. Now I understand your answer. When I click on any of the files contained in the encrypted folder, that's when the password is required. And with the .7z Encrypt Filenames option the password can be entered when opening the containing folder. – John Sonderson – 2015-01-31T00:46:25.407

As one last curiosity, if you don't mind me asking. There is also an option to enter a keyfile. So I perhaps I could store the folder password on a keyfile on an external USB drive which I could keep somewhere safe, as a less secure option. But how would I go about creating such a keyfile and storing my passwords in it? Thanks, and sorry for asking too many questions. – John Sonderson – 2015-01-31T00:50:15.103

No problem... only thing is don't think 7-zip supports keyfiles, where are you seeing that option? – misha256 – 2015-01-31T00:53:36.933

I've added a screenshot. The option is displayed when opening files in zipped folders as well as when opening 7z files. – John Sonderson – 2015-01-31T01:00:50.393

1OK I can confirm 7-zip doesn't support keyfiles, but PeaZip does. If you really want to use keyfiles, you'll have to stick with using PeaZip exclusively for both creating and extracting ZIP files. My thinking is that keyfiles are a bit overkill and there's always the risk of a USB key getting lost, stolen, or broken. Besides, keyfiles are normally used in conjunction with a regular password to get two layers of protection. Anyway, if you're set on using keyfiles, you won't be able to use 7-zip anymore. – misha256 – 2015-01-31T01:02:50.480

Thanks. That answers all my questions. I think I'll stick to 7-zip and just remember the password (or store it in a text file hidden in some place, thus doing away for the need for a keyfile used the way I was thinking of using it :-) ). – John Sonderson – 2015-01-31T01:07:32.057

Zip format does not allow to encrypt table of content of the archive, so you can actually open (browse) any encrypted Zip file.

Some archive managers can check if the file is encrypted and, in this case, ask you for password, but anyway the names of files and folders inside the encrypted Zip archive are in clear text and anyone can read them (e.g. with a plain hex viewer), so the archive format does not offer any security at all if attacker's scope is just reading the file names.

7z format can optionally encrypt archive's table of content, in this way you will always need to enter the password to browse the content.

Both with Zip and 7z formats, however, you cannot extract anything from an encrypted archive without providing the password, as the file content is actually encrypted.

The issue is utterly complicated as both Zip and 7z format support different passwords being used in the same archive (e.g. file a.txt is encrypted with "p4sSword1", file b.txt is encrypted with "Passw0rd2", file c.txt is not encrypted) so if you decide to use this (format's) feature you can need to enter different passwords to operate on (extract, update) different files inside the same archive - so the concept of asking for "the" password when you open an encrypted archive may be deceptive as that password may apply only to part of the archive's content.

Dice9

Posted 2015-01-31T00:07:00.350

Reputation: 191

Thanks for the information on the ability of both zip and 7z to encrypt different files with different passwords, but then again I can't find any archive manager that supports this feature. Perhaps you can name a few. – John Sonderson – 2015-01-31T11:38:13.357

1In my experience you can do it both with 7-Zip and PeaZip. In 7-Zip select input file(s) and click "Add" button, now in "Archive" field you can select an existing encrypted archive and in "Enter password" field you can chose a different password (or no password), so the existing archive will contain data encrypted with different password - and requiring different passwords to be extracted. In PeaZip you can do the same thing browsing an existing encrypted archive, set a different password (clicking on padlock icon in status bar) and then drag here file(s) to be added with said password. – Dice9 – 2015-01-31T14:50:50.107

-2

Perhaps try to use 7zip Portable from http://portableapps.com/apps/utilities/7-zip_portable as it inherently is portable and thus does not leave anything behind once you remove it from the computer (example: run it off a USB).

user414101

Posted 2015-01-31T00:07:00.350

Reputation: 1

The problem is not what it leaves behind. The problem is that deleted files on Windows (or any other OS) are not fully deleted to speed up the operation, and because of this writing to disk is an inherently insecure operation from a privacy point of view unless followed by a "full deletion" operation. – John Sonderson – 2015-01-31T11:39:38.163

1@JohnSonderson What? o.O what does this have to do with Zip pasdswords? – Ismael Miguel – 2015-01-31T16:38:43.270