Best Secure Encryption for Zip Files via Linux

12

2

I want to use highly secure encryption for zipped files via Linux/Ubuntu using a command line terminal, what is the best command line tool to get this job done?

zip -e -P PASSWORD file1 file2 file3 file4

Or

7za a file.7z *.txt -pSECRET

What encryption is used and how secure is it?

Daniel

Posted 2010-01-13T22:17:39.060

Reputation: 1 365

You really don't want to put your secret on the command line where it can be read from ps or your history file. – Samuel Edwin Ward – 2013-06-17T17:09:01.020

Encryption compresses files anyway. If rock solid encryption is more important than file size, you should consider using GPG. – Iain – 2010-01-13T23:10:49.000

4@Iain: that's true for GPG but not for all encryption tools. the way it works is, encrypting something makes it look like random data, which isn't compressible (or at least isn't compressible by much, if your encryption is any good). if you want to compress and encrypt, do your compression first, and encrypt the compressed data. some tools (like GPG) do this for you automatically, but understand that's a feature of the tool, not of the encryption. – quack quixote – 2010-01-13T23:34:10.547

@Iain: thank you; i didn't know GPG did compression for you automatically. found it in this article on GPG (see the "Encrypted Tarballs" section): http://www.linuxjournal.com/article/8732

– quack quixote – 2010-01-13T23:42:07.517

IIRC the compression done by GPG is (or is similar to) gzip with default settings which is a good compromise of compression rates and speed. If the data you are sending is very large and the connections it will be sent over slow then you will get some benefit from using 7zip first, but it takes a fair multiple longer to compress the same data so you might find GPG's built in compression support more convinient. – David Spillett – 2010-01-16T21:40:15.410

Answers

9

The compression offered by 7zip (in the 7z format) is more secure than any of the "standard" methods or encrypting a zip format file (many of which date back years and are barely secure at all). In either case make sure you chose a good password/key - with a badly chosen password all encryption techniques are susceptible to dictionary/guess attacks.

If you are encrypting files to send to someone else, GPG would be better (see https://help.ubuntu.com/community/GnuPrivacyGuardHowto for some Ubuntu specific notes, or Google for many other similar resources) if the person you are sending to is capable+willing to use GPG/PGP/compatible (or is already using them). The standard GPG tools are command line driven so easy to work into scripts if you are archiving files regularly and want to automate it. This is public key based so removes the problem of trying to get the key to the recipient by secure means as you encrypt with their public key and only they have the private key needed to unlock the resulting file (even you, the person who encrypted the file in the first place, would not be able to decrypt it). For paranoia++, encrypt with 7zip as you make the archive then with the recipient's public key via GPG.

David Spillett

Posted 2010-01-13T22:17:39.060

Reputation: 22 424

5

Not sure about the standard zip in Ubuntu, so I can't say which is 'best', but here's what 7-Zip claims they use:

7-Zip also supports encryption with AES-256 algorithm. This algorithm uses cipher key with length of 256 bits. To create that key 7-Zip uses derivation function based on SHA-256 hash algorithm. A key derivation function produces a derived key from text password defined by user. For increasing the cost of exhaustive search for passwords 7-Zip uses big number of iterations to produce cipher key from text password.

Ƭᴇcʜιᴇ007

Posted 2010-01-13T22:17:39.060

Reputation: 103 763

3

From the zip man page:

   -P password
   --password password
          Use password to encrypt zipfile entries (if any).  THIS IS INSECURE!  Many multi-user operating systems provide  ways
          for  any  user  to  see  the  current command line of any other user; even on stand-alone systems there is always the
          threat of over-the-shoulder peeking.  Storing the plaintext password as part of a command line in an automated script
          is  even  worse.  Whenever possible, use the non-echoing, interactive prompt to enter passwords.  (And where security
          is truly important, use strong encryption such as Pretty Good Privacy instead of the relatively weak standard encryp-
          tion provided by zipfile utilities.)

The upshot is that if your zip process takes a while, another user on the system might be able to see the command entered, which would include the password. oops. Presumably this applies to the .7z solution as well.

shabbychef

Posted 2010-01-13T22:17:39.060

Reputation: 141

0

GnuPG is probably good enough. However, if your life depends on it, I would be a little skeptical. I use a one-time pad. I won't discuss how I generate the pads or how I secure them, but I also use GPG for lower security emails. Some times I use onetime to encrypt a file then attach it to email that is encrypted with GPG.

Yes, I send info that people have to depend on being secure up to and including life threatening.

Ruffus

Posted 2010-01-13T22:17:39.060

Reputation: 1