PeaZip is a free file archiver especially focused on security, which
supports reading and writing (encryption and decryption) of many strong
encryption standards,
optionally using 2FA two factor
authentication (password and keyfile) for increased security
against means like social engineering
or dictionary based attacks (that
can considerably reduce the effort of brute-forcing a textual password
or passphrase).
Purposes of file
encryption
Use of end-to-end
cryptography, in which sender and recipient are in
charge of encrypting and decrypting the encoded data, is strongly
recommended
each time sensitive data is sent to (or through) external servers, even
if the
service is advertised implementing cryptography measures.
In example, creating encrypted mail
attachments (and to encrypt uploads to cloud services) preserve
data secrecy against any unauthorized access to user's private
information and data even in case the service is
compromised, either by successful attack, insider breach, or plain
change of policies granting access to unwanted subjects: to open and extract the encrypted file
will always require the encryption password to be known.
Encryption algorithms supported by PeaZip
Cryptographic
protocols supported by PeaZip free encryption utility for writing
(creating password protected archives) are:
- 7Z
-
7-Zip / p7zip
AES256-based encryption
- ZIP / ZIPX
-
WinZip AE (Advanced
Encryption), AES256-based
- ZipCrypto, for
legacy compatibility purpose only as the algorithm is considered weak
under today's standards, not recommended to protect sensitive data
- ARC
- FreeARC ARC format implementing
encryption scheme that supports AES256, AES contest finalists
Twofish256 and Serpent256 algorithms, and classic Blowfish algorithm
- PEA
- PeaZip's native .pea file format,
supporting AES, Serpent and Twofish (128 and 256 bit) EAX-mode
authenticated encryption, enforcing
cryptographically strong data secrecy and verifiable autenticity. Also,
PEA format can use cascaded AES, Serpent and Twofish - all the data
will be encrypted and authenticated by all the trhree cyphers.
- RAR, if WinRar is installed in the system
- RAR4 AES128-based encryption
- RAR5 AES256-based encryption
- ZPAQ
- ZPAQ AES256-based encryption
PeaZip free encryption utility supports (read-only) decryption of ACE
archives.
Read more about data encryption: NIST
Information Technology Portal , IACR Cryptology archive, Wikipedia
entry for encryption,
view description of Advanced Encryption Standard finalists: Rijndael/AES, Twofish, and Serpent ciphers.
Read about how quantum computing would likely affect symmetric key
encryption algorithms employed in PeaZip, under current understandings
of quantum computing technology, on Post-quantum computing
cryptography analysis
How are passwords
handled in PeaZip
Passwords are entered in PeaZip and kept only for the current session
of the app - until the app is closed..
Unchecking option “Keep password for the current session” (in password
prompt) is more restrictive as it resets the password each time a new
archive is opened.
Passwords are kept in memory, unless the system decides to save app’s
memory in a paging file - preventing this is beyond the possibility of
the app.
By default passwords are then sent, ephemerally, to the backend
binaries (handling each specific archive format) stdin of the process, without
sending them as command line parameters.
This is safer because sending passwords as command line parameters
makes them visible, and logged, in the user’s process table and
possibly console history, which (depending on the host system
configuration) may not met the security requirements desired by the
user.
Exceptions where the password is sent as command line parameter
- If it is not possible to use stdin input for the
target backend binary
- This exception does apply to FreeArc, Pea, and
Zpaq, legacy UnACE and UnRar5 plugins, and custom arbitrary binaries
- This exception does NOT apply to 7z/p7zip (7Z, 7Z
sfx, ZIP, ZIPX, RAR extraction) and WinRar (external, RAR compression)
- Always when using Console mode or GUI+Console mode
option (Settings, Advanced tab Backend binaries option group),
- Always when saving the task as command line script
(Console tab in extraction and archiving screens). In this case it is
also needed to securely handle the saved script file in order to not
make it accessible to attackers.
“Force typing password interactively”
option (in password dialog) disables entering password in PeaZip app so
password are never in app’s memory for any time, nor passed to backend
binaries by any means - please note this will also disable browsing
archives with encrypted TOC from PeaZip’s file browser.
When this option is checked passwords
are directly typed in each backend binary - for any backend
binary, and overriding any other PeaZip setting.
This mode can also be used to work with binaries that, for any reason,
would not work with PeaZip passing password through pipes.
Console scripts generated with this option checked will require to
interactively type passwords, and will never result in having passwords
saved in them.
Limitations:
- In this mode it is not possible to browse archives with encrypted TOC
- Zpaq backend does not accept password interactively,
in this case password will not be asked nor passed in any way
Characters allowed in
passwords
All characters are allowed in passwords, and it is strongly recommended to mix
uppercase, lowercase, numbers and symbols, alongside relying on long password / passphrases
which cannot be trivially linked to the user by social engineering, nor
likely to be recovered with a dictionary attack.
However as extra safety measure PeaZip checks the password field to
avoid using quote character(s: this would make more difficult to check
exported scripts (from Console tab in extraction and archiving screens)
to detect if special characters in the password are correctly and
safely escaped.
On Windows the warning is issued if “ double quote character is used,
on non-Windows systems only if both ‘ single quote and “ double quote
characters are used.
“Force typing password interactively” option (in password dialog)
disables this check so any character can be used.
Create a new encrypted
archive
To create an encrpted
file archive (password protect
files within archives), chose an archive type
supporting encryption, as ZIP, 7Z, ARC, PEA, and ZPAQ, add files to the
archive being created as explained in the FAQ page, then click on the
padlock icon to
set a password and optionally
a keyfile for the archive -
the icon is in the status bar in the file/archive browser, and under
the output file name in the archive creation interface.
|
Please note the password will be
applied to the objects that will be added to the archive in the current
operation - 7Z,
ARC, ZIP, and ZIPX archives support file
level encryption (supports mutiple encryption passwords),
so
each file
in an archive could have, if desired by the archive creator, a
different password - so applying a password to an existing
archive will not affect it (will not apply password protection to
already archived files). |
Encrypt an already
existing archive
To password-protect an already existing archive you need to extract and
rebuild it, applying the desired password.
Archive conversion
interface can help
automating the task.
|
PeaZip
provides an integrated utility to create
random keyfiles and
passwords sampling entropy from the system and from user's
interaction, Crtl+F9 or main applications' menu Tools > Create
random password / keyfile
|
|
Manage encryption
passwords
PeaZip's password manager is
available from main menu, Tools > Password manager.
The password list file is saved in private user's path, allowing each
user to maintain a personal password manager containing different
passwords or passphrases not accessible to other standard users of the
same system.
Optionally, the user can decide to encrypt the password list with a
master password, making the passwor manager private even to
administrative accounts of the same machine, being the data file
unreadable until the correct password is provided.
|
Some
archive types, like 7Z and ARC, support encrypting
files names
of items
added to the archive: in this case it will not even be
possible to see the list of archive's content, file and directory
names (in
case the very names expose sensitive information), without knowing the
password. This option is available in
Password dialog - PEA and ZPAQ formats will always encrypt name of
files inside
an encrypted archive. |
Encrypt files with two
factor authentication (password and keyfile)
PeaZip free encryption
software
supports optional two factor
authentication (2FA) for any
write-supported archive format (7Z, ARC, PEA, RAR, ZIP) using both a
password (the element you know) and a keyfile (the element you have) to
encrypt the content - it only needs to enter a keyfile in password
dialog when creating the archive.
If a keyfile is set for any
other format than PEA (which has its own way to use keyfile) the SHA256
hash of the file encoded in Base64 (RFC 4648) is prepended to the
password used to build the archive, using standard archive format
encryption mechanism.
This simple password / keyfile combination scheme allows to retain read
compatibility with any other file archiver, even ones not supporting
keyfile parsing (or with different two factor authentication
implementation), simply
passing the Base64-encoded SHA256 hash of the keyfile as the first part
of the password.
|
KNOWN LIMITATION: two
factor authentication (2FA) is not available for self-extracting archives
(which can be built with 7Z or ARC compression), because usage of
keyfile is not supported by available SFX modules - otherwise resulting
executables would be unable to exctract themselves. When a
self-extracting archive is created, only the password (if provided)
will be used for encrypting it, and only the password will be needed to
extract & decrypt it.
|
Chose the encryption
algorithm
In "Advanced" tab
of archive creation interface users can chose
encryption method to apply to the archive: by default the recommended
method will be displayed.
For
increased security, PeaZip file manager supports secure
file deletion to erase tracks of
unwanted data.
Read more about how to create
encrypted 7Z archives, encrypt
PEA archives with AES, Twofish, or Serpent, create password protected RAR files
with PeaZip if WinZip in featured on the same machine, encrypt ZIP files, create encypted ZPAQ archives.
Synopsis: How to
encrypt 7Z PEA RAR ZIP files. Use PeaZip free file encryption utility
to create encrypted archives, apply AES Twofish Serpent strrong
cyphers. What is strong file encryption meaning. How to
set password protection to archive files.
Topics: what is strong
encryption, how to encrypt files, create encrypted archives with PeaZip
PeaZip > FAQ
> Free encryption software, encrypt 7Z PEA RAR ZIP files
|
