HOWTO: Quick 7-Zip Trick to Encrypt Your Files with Non-Interactive Mode
I have a lot of data that I archive away on a regular basis, both on my “PC” machines and my mobile devices OTA. I needed a secure, reproducible way to secure those data with a very strong, complex password using extremely tight compression.
Unfortunately, p7zip on Linux and 7-Zip for Windows don’t permit a non-interactive way to pass in a password. So I came up with a quick-and-dirty workaround!
- First, generate a complex password and put this in a file with one line. Make sure there are no leading or trailing characters in this file, including a trailing newline. There should be one and only one line in this file. Here’s are some examples of a password generated with the level of complexity you’ll want for secured archives (42 characters in length, 15 minutes of generated entropy from a hardware dongle):
{Kt8}m.Gs7:g}=%-nfX[F_E(tKs[X,}GrN$mz^?m7^ +S/>>@7DzKafmLkSkS:-"4-*@k)#u@mQ>"=7j_vvu,! <prX9WG#h,t-Ka`poA9rhJWc]H9M}`NA(8_93tD\hR
- Now with that password in a file, run the following loop to compress the data and pass in the password inline.
You’ll notice that on Windows, I use Cygwin here, because I can create scripts and retain previous commandline history to reproduce this on a regular basis.
I’m also using lzma2 here because it gives me slightly tighter compression for minimally more CPU time to generate the archives.
On Linux
cat your-pw-file | for i in *.xml; do 7z u -t7z -m0=lzma2 -mx=9 -mfb=64 -md=64m -ms=on $i.7z $i -p --; done;
On Windows (using Cygwin)
cat your-pw-file | for i in *.xml; do do /cygdrive/c/Program\ Files/7-Zip/7z.exe u -t7z -m0=lzma2 -mx=9 -mfb=64 -md=64m -ms=on $i.7z $i -p --; done;
- To verify that the files are properly encrypted and the right password works as expected, test as follows:
On Linux
cat your-pw-file | for i in *.7z; do 7z t $i -p --; done;
On Windows (using Cygwin)
cat your-pw-file | for i in *.7z; do do /cygdrive/c/Program\ Files/7-Zip/7z.exe t $i -p --; done;
- Now you can delete that password file from disk. I can’t stress this enough. Once you’ve used the password, and secured it in a managed password container, you’ll want to delete all traces of it that you do not need in plain sight on disk.
That’s it. Now when you want to decompress those archives, you’ll need to supply the password you generated before. Make sure you keep this password secured in a managed location. A password is only as secure as your ability to manage it.
Good luck!