Skip to main content

Encrypting and decrypting archives with 7-Zip

You can compress and encrypt archives with 7-Zip with AES-256 encryption. Find out how.
pad lock on cdrom

Image by Hebi B. from Pixabay

7-Zip is a free, open source, cross-platform compression and encryption utility that neither requires registration or any kind of payment to use, even in a commercial environment. It's licensed under the GNU LPGL and other licenses. It's likely that you've at least heard of 7-Zip somewhere in your travels because it's been around since 1999. I think you'll like its many features, and I'm happy to bring this little gem to light, especially if you've never used it and you're looking for an encryption solution for your backups.

[ You might also enjoy: Taming the tar command: Tips for managing backups in Linux ]

There are three vulnerability points for files and archives when transported or stored: in-use, in-flight, and at rest. This article focuses on how you can protect file archives in-flight and at rest with AES-256 encryption. Hopefully, everyone performs daily backups and follows the 3-2-1 rule of archiving and storage. But even if you do, you should encrypt your archives for safekeeping. Encryption, especially AES-256 encryption, helps protect your files and archives from prying eyes, even if they're exfiltrated into a malicious actor's possession.

Don't forget that 7-Zip is also an excellent compression tool if you want to minimize those backup file sizes. But this article focuses on encryption rather than compression. There are several switches and configurations available to obtain different compression levels for your archives. Check the man page for more information on compression settings.

While 7-Zip's encryption and compression features are good, its backup features are weak. On the man page for 7-Zip, you find the following warning:

Backup and limitations

DO NOT USE the 7-Zip format for backup purposes on Linux/Unix because 7-zip does not store the owner/group of the file. On Linux/Unix, in order to backup directories, you must use tar.


7-Zip isn't a base product, so you'll have to install it. To grab the entire suite of 7-Zip plugins and documentation along with the main 7-Zip package, use the following command:

# dnf install -y p7zip*

I use the * to download every package related to 7-Zip. This installs p7zip, p7zip-plugins, and p7zip-doc from the EPEL repository.


Files encrypted using the .7z format are encrypted with AES-256 encryption by default. You don't need any extra settings to obtain that encryption level. You should turn on data and header encryption (-mhe=on) so that no one can see your file list in the archive file before entering the password (key). The following example is my standard one for encrypting a tarball. I don't supply any special compression switches, but I do turn on header encryption, and I always supply a strong password (encryption key) for each archive. Generically, this is my archive and encrypt command:

$ tar -cf directory.tar <directory>

$ 7z a -p -mhe=on directory.tar.7z directory.tar

Here is the interactive version for a directory named archive.

$ tar -cf archive.tar archive

$ 7z a -p -mhe=on archive.tar.7z

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU Intel(R) Core(TM) i5-7360U CPU @ 2.30GHz (806E9),ASM,AES-NI)

Creating archive: archive.tar.7z

Items to compress: 1

Enter password (will not be echoed):
Verify password (will not be echoed) :
Files read from disk: 1
Archive size: 166 bytes (1 KiB)
Everything is Ok

$ ls
archive archive.tar archive.tar.7z 

Not all documentation on the 7-Zip utility is the most up-to-date. My suggestion is always to consult the man page, which should provide the latest information. I find the man page to be the most accurate and helpful documentation available.

The 7z format

This information is an excerpt from the 7-Zip website.

7z is the new archive format, providing a high compression ratio.

The main features of 7z format:

  • Open architecture
  • High compression ratio
  • Strong AES-256 encryption
  • Ability to use any compression, conversion, or encryption method
  • Supporting files with sizes up to 16000000000 GB
  • Unicode file names
  • Solid compressing
  • Archive headers compressing

7z has an open architecture so it can support any new compression methods.


First, decrypt the archive from the compressed, encrypted 7z file and supply your encryption password.

$ 7z x archive.tar.7z 

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU Intel(R) Core(TM) i5-7360U CPU @ 2.30GHz (806E9),ASM,AES-NI)

Scanning the drive for archives:
1 file, 440 bytes (1 KiB)

Extracting archive: archive.tar.7z

Enter password (will not be echoed):
Path = archive.tar.7z
Type = 7z
Physical Size = 440
Headers Size = 200
Method = LZMA2:12k 7zAES
Solid = -
Blocks = 1

Everything is Ok

Size:       10240
Compressed: 440

$ ls

archive.tar archive.tar.7z

Now, untar the tarred files in the usual way.

$ tar xvf archive.tar

Your directories and files are intact with the proper permissions. That's all there is to it. 7-Zip's simplicity, speed, compression, and encryption make it a must-have for sysadmins who need those features for your archives.

[ Thinking about security? Check out this free guide to boosting hybrid cloud security and protecting your business. ]

Wrap up

I feel good knowing that 7-Zip is a free, open source utility that requires no fees or registration to use. It works on Windows, Linux, and Mac systems, so you should be covered on all of your platforms. Please test the encryption and decryption process to be sure that you can extract your tar files after they've been encrypted and decrypted. You certainly don't want to find out that something has gone wrong with your tar file when you need to restore something from one of them.

Check out these related articles on Enable Sysadmin

Topics:   Linux   Linux administration   Security  
Author’s photo

Ken Hess

Ken has used Red Hat Linux since 1996 and has written ebooks, whitepapers, actual books, thousands of exam review questions, and hundreds of articles on open source and other topics. Ken also has 20+ years of experience as an enterprise sysadmin with Unix, Linux, Windows, and Virtualization. More about me

Red Hat Summit 2022: On Demand

Get the latest on Ansible, Red Hat Enterprise Linux, OpenShift, and more from our virtual event on demand.

Related Content