How to zip directory with encryption for file names?

command-line directory filenames encryption zip

31,395

Solution 1

In a zip file, only file contents is encrypted. File metadata, including file names, is not encrypted. That's a limitation of the file format: each entry is compressed separately, and if encrypted, encrypted separately.

You can use 7-zip instead. It supports metadata encryption (-mhe=on with the Linux command line implementation).

7z a -p -mhe=on Directory.7z /path/to/directory

There are 7zip implementations for all major operating systems and most minor ones but that might require installing extra software (IIRC Windows can unzip encrypted zip files off the box these days). If requiring 7z for decryption is a problem, you can rely on zip only by first using it to pack the directory in a single file, and then encrypting that file. If you do that, turn off compression of individual files and instruct the outer zip to compress the zip file, you'll get a better compression ratio overall.

zip -0 -r Directory.zip /path/to/directory
zip -e -n : encrypted.zip Directory.zip

Solution 2

You could create an archive using your favorite tool and then use bcrypt to perform encryption/decryption.

A) To create an encrypted file:

tar -czf Directory.tgz /path/to/directory
bcrypt Directory.tgz

This will give you a Blowfish-encrypted file Directory.tgz

B) To reverse this process:

bcrypt Directory.tgz.bfe
tar -xf Directory.tgz

31,395

Chris lee

Updated on September 18, 2022

Comments

Chris lee over 1 year
Using command line, I know that I can encrypt a directory with the following command:
```
zip -er Directory.zip /path/to/directory
```
However, this does not encrypt the filenames themselves. If someone runs:
```
unzip Directory.zip
```
and repeatedly enters a wrong password, the unzip command will loop through all of the contained filenames until the correct password is entered. Sample output:
```
unzip Directory.zip 
Archive:  Directory.zip
   creating: Directory/
[Directory.zip] Directory/sensitive-file-name-1 password: 
password incorrect--reenter: 
password incorrect--reenter: 
   skipping: Directory/sensitive-file-name-1  incorrect password
[Directory.zip] Directory/sensitive-file-name-2 password: 
password incorrect--reenter: 
password incorrect--reenter: 
   skipping: Directory/sensitive-file-name-2  incorrect password
[Directory.zip] Directory/sensitive-file-name-3 password: 
password incorrect--reenter: 
password incorrect--reenter: 
   skipping: Directory/sensitive-file-name-3  incorrect password
```
and so on.

Using command line, is there a way to zip a directory with encryption while also encrypting or hiding the filenames themselves?

Thank you.
- Pierz about 6 years
  
  You probably don't want to use zip's default encryption as it's weak so use 7zip since it uses AES based encryption.
- Chris lee about 6 years
  
  What is zip's default encryption, and what is your source for asserting that zip's default encryption is unsafe?
- Pierz about 6 years
  
  Most zip tools (there are some newer zip tools that use better crypto) still use the PKZIP Stream cipher which was first shown to be weak in 1994: rd.springer.com/content/pdf/10.1007%2F3-540-60590-8_12.pdf The Wikipedia page gives a basic overview: en.wikipedia.org/wiki/Zip_(file_format)#Encryption
Stephen Kitt almost 8 years

The approach is good, but you should use another tool for encryption — bcrypt uses EBC which reveals structure in the encrypted data. See Debian bug #700758 for details (Debian's bcrypt only supports decryption as a result).
Pierz about 6 years

Probably best to avoid using zip to encrypt - one can use 7zip to generate a more securely encrypted (AES) zipfile on the 2nd line: 7z a -p -tzip encrypted.zip Directory.zip