Create an encrypted zip archive with PHP

php encryption zip

40,355

Solution 1

Note: this answer recommends a cryptographic method that is known insecure, even with good password. Please see link from comments and the Winzip QA on AES. Support for in-php AES zip encryption arrives with php 7.2 (and libzip 1.2.0), which means this answer will soon be outdated too. Until then see this answer for how to call out to 7z instead of the zip command, which supports winzip's AES encryption.

You can use this:

<?php echo system('zip -P pass file.zip file.txt'); ?>

Where pass is the password, and file.txt will be zipped into file.zip. This should work on Windows and Linux, you just need to get a free version of zip for Windows ( http://www.info-zip.org/Zip.html#Win32 )

This kind of security can be broken by brute force attacks, dictionary attacks and etc. But it's not that easy, specially if you chose a long and hard to guess password.

Solution 2

As of php 7.2 (which was released a hours ago), the right way to do this is to use additional functionality included in ZipArchive native php code. (thanks to abraham-tugalov for pointing out that this change was coming)

Now the simple answer looks something like this:

<?php
$zip = new ZipArchive();
if ($zip->open('test.zip', ZipArchive::CREATE) === TRUE) {
    $zip->setPassword('secret_used_as_default_for_all_files'); //set default password

    $zip->addFile('thing1.txt'); //add file
    $zip->setEncryptionName('thing1.txt', ZipArchive::EM_AES_256); //encrypt it

    $zip->addFile('thing2.txt'); //add file
    $zip->setEncryptionName('thing2.txt', ZipArchive::EM_AES_256); //encrypt it

    $zip->close();

    echo "Added thing1 and thing2 with the same password\n";
} else {
    echo "KO\n";
}
?>

But you can also set the encryption method by index and not name, and you can set each password on a per-file basis... as well as specify weaker encryption options, using the newly supported encryption options.

This example exercises these more complex options.

<?php
$zip = new ZipArchive();
if ($zip->open('test.zip', ZipArchive::CREATE) === TRUE) { 
     //being here means that we were able to create the file..

     //setting this means that we do not need to pass in a password to every file, this will be the default
    $zip->addFile('thing3.txt');

    //$zip->setEncryptionName('thing3.txt', ZipArchive::EM_AES_128);
    //$zip->setEncryptionName('thing3.txt', ZipArchive::EM_AES_192);
    //you should just use ZipArchive::EM_AES_256 unless you have super-good reason why not. 
    $zip->setEncryptionName('thing3.txt', ZipArchive::EM_AES_256, 'password_for_thing3');

     $zip->addFile('thing4.txt');
    //or you can also use the index (starting at 0) of the file...
    //which means the following line should do the same thing...
    //but just referencing the text.txt by index instead of name..
    //$zip->setEncryptionIndex(1, ZipArchive::EM_AES_256, 'password_for_thing_4'); //encrypt thing4, using its index instead of its name...

    $zip->close();
    echo "Added thing3 and thing4 with two different passwords\n";
} else {
    echo "KO\n";
}
?>

The underlying support for zip encryption is enabled because libzip 1.2.0 introduced support for encryption. So you will need to have php 7.2 and libzip 7.2 in order to run this code... Hopefully this note will be cruft on this answer "real soon"

Solution 3

Although PHP is a mature language, there is no adequate method (excluding custom extension or something like that) to achieve such a simple task with pure PHP.

What you also can do, is to wait until PHP 7.2 will be available for production (because ZipArchive::setEncryptionName is implemented (thanks to Pierre and Remi)).

But, until then you also can try to port php_zip >= 1.14.0 to PHP < 7.2, but there is currently no compiled binaries available, so you have to compile it yourself and try if it is possible at all (I believe it is).

PS I would try it, but have no VS2015+ on my PC right now.

40,355

KitzyKitt

Updated on July 09, 2022

Comments

KitzyKitt almost 2 years

I am searching for a way to encrypt a .txt file into a zip, but in a secure password protected way. My goal is to email this file to me, without anyone being able to read the content of the attachment.

Does anybody know an easy, and above all, secure way to accomplish this ? I can create zip archives, but I do not know how to encrypt them, or, how secure this is.
KitzyKitt about 15 years

thank you, I will try this. it is on a linuxserver I'm working, so the add-on will not be necessary.
Amit Patil about 15 years

ZIP encryption is actually pretty weak, there are attacks that yield a working password (if not necessarily the same password that was originally used) in relatively short time.
KitzyKitt about 15 years

and do you know how i can use this in a php script ? many thanks!
Cheeso about 15 years

if you run PHP on Windows, there's DotNetZip (dotnetzip.codeplex.com) that supports AES-encrypted zips. PHP can invoke .NET components. badda bing, badda boom.
KitzyKitt about 15 years

unfortunately most of my servers run on linux. but i can use this solution for the ones on windows. thank you very much!
Jon Bright about 12 years

This answer is actively dangerous. The encryption used by this answer is horribly weak. It is not the modern AES-based encryption.
Maciej Swic over 11 years

Many hosting environments block the "system" function. Using the ZipArchive class is better.
Joeri over 10 years

Not sure what kind of security is needed. But do an encryption first and then mail yourself a zipped file might be a better route. Or even mail yourself a link and create the file on demand on accessing that link.
Joeri over 10 years

I'd go with encrypting the data with gibberish-aes-php. Zip that ( or not ), download, and run a local cli-php-script to decrypt. There is also a javascript implementation of gibberish-aes so the clientside could also be javascript. ( github.com/ivantcholakov/gibberish-aes-php )
ftrotter over 6 years

This is a great answer. But it should get notched down now that support is in php 7.2...
Ng Sek Long over 5 years

Note that with system("..."), there is no need to use echo, see "stackoverflow.com/a/6708202/6463291"
Cagy79 almost 5 years

Since PHP 7.2 this is no longer the correct answer. setEncryptionName() is now the correct method.
nights about 4 years

Wow, this actually works. Very counter-intuitive that you have to set the encryption theme for each file individually.