Best Secure Encryption for Zip Files via Linux

I want to use highly secure encryption for zipped files via Linux/Ubuntu using a command line terminal, what is the best command line tool to get this job done?

zip -e -P PASSWORD file1 file2 file3 file4

Or

7za a file.7z *.txt -pSECRET

What encryption is used and how secure is it?


Solution 1:

The compression offered by 7zip (in the 7z format) is more secure than any of the "standard" methods or encrypting a zip format file (many of which date back years and are barely secure at all). In either case make sure you chose a good password/key - with a badly chosen password all encryption techniques are susceptible to dictionary/guess attacks.

If you are encrypting files to send to someone else, GPG would be better (see https://help.ubuntu.com/community/GnuPrivacyGuardHowto for some Ubuntu specific notes, or Google for many other similar resources) if the person you are sending to is capable+willing to use GPG/PGP/compatible (or is already using them). The standard GPG tools are command line driven so easy to work into scripts if you are archiving files regularly and want to automate it. This is public key based so removes the problem of trying to get the key to the recipient by secure means as you encrypt with their public key and only they have the private key needed to unlock the resulting file (even you, the person who encrypted the file in the first place, would not be able to decrypt it). For paranoia++, encrypt with 7zip as you make the archive then with the recipient's public key via GPG.

Solution 2:

Not sure about the standard zip in Ubuntu, so I can't say which is 'best', but here's what 7-Zip claims they use:

7-Zip also supports encryption with AES-256 algorithm. This algorithm uses cipher key with length of 256 bits. To create that key 7-Zip uses derivation function based on SHA-256 hash algorithm. A key derivation function produces a derived key from text password defined by user. For increasing the cost of exhaustive search for passwords 7-Zip uses big number of iterations to produce cipher key from text password.

Solution 3:

From the zip man page:

   -P password
   --password password
          Use password to encrypt zipfile entries (if any).  THIS IS INSECURE!  Many multi-user operating systems provide  ways
          for  any  user  to  see  the  current command line of any other user; even on stand-alone systems there is always the
          threat of over-the-shoulder peeking.  Storing the plaintext password as part of a command line in an automated script
          is  even  worse.  Whenever possible, use the non-echoing, interactive prompt to enter passwords.  (And where security
          is truly important, use strong encryption such as Pretty Good Privacy instead of the relatively weak standard encryp-
          tion provided by zipfile utilities.)

The upshot is that if your zip process takes a while, another user on the system might be able to see the command entered, which would include the password. oops. Presumably this applies to the .7z solution as well.