7-Zip is a free, open source, cross-platform compression and encryption utility that neither requires registration or any kind of payment to use, even in a commercial environment. It's licensed under the GNU LPGL and other licenses. It's likely that you've at least heard of 7-Zip somewhere in your travels because it's been around since 1999. I think you'll like its many features, and I'm happy to bring this little gem to light, especially if you've never used it and you're looking for an encryption solution for your backups.
[ You might also enjoy: Taming the tar command: Tips for managing backups in Linux ]
There are three vulnerability points for files and archives when transported or stored: in-use, in-flight, and at rest. This article focuses on how you can protect file archives in-flight and at rest with AES-256 encryption. Hopefully, everyone performs daily backups and follows the 3-2-1 rule of archiving and storage. But even if you do, you should encrypt your archives for safekeeping. Encryption, especially AES-256 encryption, helps protect your files and archives from prying eyes, even if they're exfiltrated into a malicious actor's possession.
Don't forget that 7-Zip is also an excellent compression tool if you want to minimize those backup file sizes. But this article focuses on encryption rather than compression. There are several switches and configurations available to obtain different compression levels for your archives. Check the man page for more information on compression settings.
While 7-Zip's encryption and compression features are good, its backup features are weak. On the man page for 7-Zip, you find the following warning:
Backup and limitations
DO NOT USE the 7-Zip format for backup purposes on Linux/Unix because 7-zip does not store the owner/group of the file. On Linux/Unix, in order to backup directories, you must use tar.
Installation
7-Zip isn't a base product, so you'll have to install it. To grab the entire suite of 7-Zip plugins and documentation along with the main 7-Zip package, use the following command:
# dnf install -y p7zip*
I use the * to download every package related to 7-Zip. This installs p7zip, p7zip-plugins, and p7zip-doc from the EPEL repository.
Encryption
Files encrypted using the .7z format are encrypted with AES-256 encryption by default. You don't need any extra settings to obtain that encryption level. You should turn on data and header encryption (-mhe=on) so that no one can see your file list in the archive file before entering the password (key). The following example is my standard one for encrypting a tarball. I don't supply any special compression switches, but I do turn on header encryption, and I always supply a strong password (encryption key) for each archive. Generically, this is my archive and encrypt command:
$ tar -cf directory.tar <directory>
$ 7z a -p -mhe=on directory.tar.7z directory.tar
Here is the interactive version for a directory named archive.
$ tar -cf archive.tar archive
$ 7z a -p -mhe=on archive.tar.7z
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU Intel(R) Core(TM) i5-7360U CPU @ 2.30GHz (806E9),ASM,AES-NI)
Creating archive: archive.tar.7z
Items to compress: 1
Enter password (will not be echoed):
Verify password (will not be echoed) :
Files read from disk: 1
Archive size: 166 bytes (1 KiB)
Everything is Ok
$ ls
archive archive.tar archive.tar.7z
Not all documentation on the 7-Zip utility is the most up-to-date. My suggestion is always to consult the man page, which should provide the latest information. I find the man page to be the most accurate and helpful documentation available.
The 7z format
This information is an excerpt from the 7-Zip website.
7z is the new archive format, providing a high compression ratio.
The main features of 7z format:
- Open architecture
- High compression ratio
- Strong AES-256 encryption
- Ability to use any compression, conversion, or encryption method
- Supporting files with sizes up to 16000000000 GB
- Unicode file names
- Solid compressing
- Archive headers compressing
7z has an open architecture so it can support any new compression methods.
Decryption
First, decrypt the archive from the compressed, encrypted 7z file and supply your encryption password.
$ 7z x archive.tar.7z
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU Intel(R) Core(TM) i5-7360U CPU @ 2.30GHz (806E9),ASM,AES-NI)
Scanning the drive for archives:
1 file, 440 bytes (1 KiB)
Extracting archive: archive.tar.7z
Enter password (will not be echoed):
--
Path = archive.tar.7z
Type = 7z
Physical Size = 440
Headers Size = 200
Method = LZMA2:12k 7zAES
Solid = -
Blocks = 1
Everything is Ok
Size: 10240
Compressed: 440
$ ls
archive.tar archive.tar.7z
Now, untar the tarred files in the usual way.
$ tar xvf archive.tar
archive/
archive/file1.txt
archive/file2.txt
archive/file3.txt
archive/file4.txt
archive/file5.txt
archive/file3.old.txt
Your directories and files are intact with the proper permissions. That's all there is to it. 7-Zip's simplicity, speed, compression, and encryption make it a must-have for sysadmins who need those features for your archives.
[ Thinking about security? Check out this free guide to boosting hybrid cloud security and protecting your business. ]
Wrap up
I feel good knowing that 7-Zip is a free, open source utility that requires no fees or registration to use. It works on Windows, Linux, and Mac systems, so you should be covered on all of your platforms. Please test the encryption and decryption process to be sure that you can extract your tar files after they've been encrypted and decrypted. You certainly don't want to find out that something has gone wrong with your tar file when you need to restore something from one of them.
About the author
Ken has used Red Hat Linux since 1996 and has written ebooks, whitepapers, actual books, thousands of exam review questions, and hundreds of articles on open source and other topics. Ken also has 20+ years of experience as an enterprise sysadmin with Unix, Linux, Windows, and Virtualization.
Follow him on Twitter: @kenhess for a continuous feed of Sysadmin topics, film, and random rants.
In the evening after Ken replaces his red hat with his foil hat, he writes and makes films with varying degrees of success and acceptance. He is an award-winning filmmaker who constantly tries to convince everyone of his Renaissance Man status, also with varying degrees of success and acceptance.
Browse by channel
Automation
The latest on IT automation for tech, teams, and environments
Artificial intelligence
Updates on the platforms that free customers to run AI workloads anywhere
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
The latest on how we reduce risks across environments and technologies
Edge computing
Updates on the platforms that simplify operations at the edge
Infrastructure
The latest on the world’s leading enterprise Linux platform
Applications
Inside our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Customer support
- Developer resources
- Find a partner
- Red Hat Ecosystem Catalog
- Red Hat value calculator
- Documentation
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit