7z command line with highest encryption: AES-256 + Encrypting the Filenames

I had a question. Im trying to backup and encrypt files, but using the more recent aes256 or aes512 encryption.

1) I heard 7z defaults to aes128, I want to use the best one (aes256... i think?), how do i do it?

Here is my command:

cd /mnt/MyBackupHardDrive ;

7z a MyFullComputerBackup-AES256.7z -t7z -m0=lzma2:d1024m -mx=9 -aoa -mfb=64 -md=32m -ms=on /home/MyHomeDirectory

2) Does this automatically encrypt the filenames too?

Thanks for any help you can offer!


Solution 1:

It is possible to get AES 256 encryption with 7z and make the archive and filenames only visible with the use of a passphrase. I note that the vital 'passphrase' option is missing from your own command line.

An example, for which I have borrowed liberally from the man pages:

7z a \
  -t7z -m0=lzma2 -mx=9 -mfb=64 \
  -md=32m -ms=on -mhe=on -p'eat_my_shorts' \
   archive.7z dir1

A slightly more secure method is to actually leave the -p field blank, then 7z will prompt you to type a password before actually creating the archive.

Explanation:

Here is an explanation for those not well versed in the 7z command line:

a                   Add (dir1 to archive.7z)
-t7z                Use a 7z archive
-m0=lzma2           Use lzma2 method
-mx=9               Use the '9' level of compression = Ultra
-mfb=64             Use number of fast bytes for LZMA = 64
-md=32m             Use a dictionary size = 32 megabytes
-ms=on              Solid archive = on
-mhe=on             7z format only : enables or disables archive header encryption
-p{Password}        Add a password

Testing the archive:

The subsequent archive can be tested with the command 7z l -slt archive.7z which I demonstrate below:

andrew@illium~/test$ 7z l -slt archive.7z

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,8 CPUs x64)

Scanning the drive for archives:
1 file, 12919 bytes (13 KiB)

Listing archive: archive.7z


Enter password (will not be echoed):   <-------------
--
Path = archive.7z
Type = 7z
Physical Size = 12919
Headers Size = 247
Method = LZMA2:14 7zAES
Solid = -
Blocks = 1

----------
Path = dir1
Size = 0
Packed Size = 0
Modified = 2017-06-23 14:10:59
Attributes = D_ drwxr-xr-x
CRC = 
Encrypted = -
Method = 
Block = 

Path = dir1/200px-Aum_calligraphy.svg.png
Size = 12663
Packed Size = 12672
Modified = 2015-05-06 07:29:23
Attributes = A_ -rw-r--r--
CRC = 77BD9922
Encrypted = +                    <-------------
Method = LZMA2:14 7zAES:19       <-------------
Block = 0

andrew@illium~/test$ 

Note the call for a password as well as the notation that gives the encryption as 7zAES:19 aka AES-256 (I have arrowed these points for the sake of clarity).

Caveats:

  1. Note that in the man pages there is a specific warning against using 7z for archival purposes under Linux:

    DO NOT USE the 7-zip format for backup purpose on Linux/Unix because :
    - 7-zip does not store the owner/group of the file.
    
  2. Note as well some limitations and work arounds given in the man pages in regards to the backing up of directories under Linux....