How to zip directory with encryption for file names?

Question

Using command line, I know that I can encrypt a directory with the following command:

zip -er Directory.zip /path/to/directory

However, this does not encrypt the filenames themselves. If someone runs:

unzip Directory.zip

and repeatedly enters a wrong password, the unzip command will loop through all of the contained filenames until the correct password is entered. Sample output:

unzip Directory.zip 
Archive:  Directory.zip
   creating: Directory/
[Directory.zip] Directory/sensitive-file-name-1 password: 
password incorrect--reenter: 
password incorrect--reenter: 
   skipping: Directory/sensitive-file-name-1  incorrect password
[Directory.zip] Directory/sensitive-file-name-2 password: 
password incorrect--reenter: 
password incorrect--reenter: 
   skipping: Directory/sensitive-file-name-2  incorrect password
[Directory.zip] Directory/sensitive-file-name-3 password: 
password incorrect--reenter: 
password incorrect--reenter: 
   skipping: Directory/sensitive-file-name-3  incorrect password

and so on.

Using command line, is there a way to zip a directory with encryption while also encrypting or hiding the filenames themselves?

Thank you.

You probably don't want to use zip's default encryption as it's weak so use `7zip` since it uses AES based encryption. — Pierz, Mar 19 '18 at 12:43
What is zip's default encryption, and what is your source for asserting that zip's default encryption is unsafe? — Leo Galleguillos, Mar 26 '18 at 21:14
Most zip tools (there are some newer zip tools that use better crypto) still use the PKZIP Stream cipher which was first shown to be weak in 1994: https://rd.springer.com/content/pdf/10.1007%2F3-540-60590-8_12.pdf The Wikipedia page gives a basic overview: https://en.wikipedia.org/wiki/Zip_(file_format)#Encryption — Pierz, Apr 06 '18 at 12:19

score 51 · Accepted Answer · answered Jun 16 '16 at 07:32

51

In a zip file, only file contents is encrypted. File metadata, including file names, is not encrypted. That's a limitation of the file format: each entry is compressed separately, and if encrypted, encrypted separately.

You can use 7-zip instead. It supports metadata encryption (-mhe=on with the Linux command line implementation).

7z a -p -mhe=on Directory.7z /path/to/directory

There are 7zip implementations for all major operating systems and most minor ones but that might require installing extra software (IIRC Windows can unzip encrypted zip files off the box these days). If requiring 7z for decryption is a problem, you can rely on zip only by first using it to pack the directory in a single file, and then encrypting that file. If you do that, turn off compression of individual files and instruct the outer zip to compress the zip file, you'll get a better compression ratio overall.

zip -0 -r Directory.zip /path/to/directory
zip -e -n : encrypted.zip Directory.zip

answered Jun 16 '16 at 07:32

Gilles 'SO- stop being evil'

807,993
194
1,674
2,175

1

Probably best to avoid using zip to encrypt - one can use 7zip to generate a more securely encrypted (AES) zipfile on the 2nd line: `7z a -p -tzip encrypted.zip Directory.zip` – Pierz Mar 19 '18 at 12:51
This is a good workaround. The only reason I use zip is because I'm sending it to a non-techie who uses Windows. Otherwise, its `.tar.xz.gpg`. – Majal Aug 29 '22 at 08:48
`.7z` `.rar` format support hide filenames too when encrypt – yurenchen Oct 14 '22 at 14:33
@Gilles Will the command `7z a -p -mhe=on Directory.7z /path/to/directory` compress the `/path/to/directory` recursively (with all subdirectories)? I need a command which does it recursively and with password. Thanks – xralf Nov 08 '22 at 21:54
1

@xralf Yes, that archives the directory and all its contents recursively. – Gilles 'SO- stop being evil' Nov 09 '22 at 10:47

score 4 · Answer 2 · answered Jun 15 '16 at 22:15

4

You could create an archive using your favorite tool and then use bcrypt to perform encryption/decryption.

A) To create an encrypted file:

tar -czf Directory.tgz /path/to/directory
bcrypt Directory.tgz

This will give you a Blowfish-encrypted file Directory.tgz

B) To reverse this process:

bcrypt Directory.tgz.bfe
tar -xf Directory.tgz

answered Jun 15 '16 at 22:15

Jedi

249
1
9

3

The approach is good, but you should use another tool for encryption — `bcrypt` uses EBC which reveals structure in the encrypted data. See [Debian bug #700758](http://bugs.debian.org/700758) for details (Debian's `bcrypt` only supports decryption as a result). – Stephen Kitt Jun 16 '16 at 08:33

score 1 · Answer 3 · answered Feb 14 '23 at 03:05

Because there is not yet an answer which strictly answers how to use zip to encrypt filename-listing as well as file(s) contents, here is one. As commented in other answers, zip-encryption may or may not be secure depending on which version you are using and anyway tools like tar & gpg are better from a technical perspective, but when you are stuck having to create portable archives for non-technical users (i.e. using zip only, maybe they can't or won't even install 7-zip...) a simple workaround is to make an encrypted-zip of an intermediate plain-zip. It usually only adds about 200 bytes for the extra header.

% zip -r directory.zip secret-stuff
% zip -e -r directory-encrypted.zip directory.zip

Then, when someone tries to list filenames (or reveal them during password-guesses) they will just see the following:

% unzip -l directory-encrypted.zip
Archive:  directory-encrypted.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
  1747768  2023-02-14 04:45   directory.zip
---------                     -------
  1747768                     1 file

and after extracting the outer zip the intermediate one would then be listable:

% unzip -l directory.zip # unencrypted intermediate archive
Archive:  directory.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
        0  2023-02-14 03:50   secret-stuff/
        0  2023-02-06 21:36   secret-stuff/really/
        0  2023-02-06 21:36   secret-stuff/really/totally/
  1844742  2023-02-06 19:44   secret-stuff/really/totally/uh-oh.pdf
    72279  2023-02-06 19:45   secret-stuff/really/totally/another-one.pdf
        0  2023-02-14 03:50   secret-stuff/really/oops/
      225  2023-02-14 03:50   secret-stuff/really/oops/file-list.txt
---------                     -------
  1917246                     7 files

How to zip directory with encryption for file names?

3 Answers3