173

I want to create some tar.gz (and possibly tar.bz2) files, using the tar command on Ubuntu 10.04.

I want to password protect the file.

What is the command to do this (I have Googled, but found nothing that shows how to create and extract compressed files using a password).

Anyone knows how to do this?

pulsarjune
  • 1,291
  • 1
  • 12
  • 21
morpheous
  • 4,263
  • 12
  • 32
  • 30
  • 1
    See also [this question](https://askubuntu.com/questions/17641/create-encrypted-password-protected-zip-file/1304097) on Ask Ubuntu for answers. – Matthias Braun Jan 05 '21 at 15:07

7 Answers7

205

You have to apply the Unix philosophy to this task: one tool for each task.

Tarring and compression is a job for tar and gzip or bzip2. Crypto is a job for either gpg or openssl:

Encrypt

 % tar cz folder_to_encrypt | \
      openssl enc -aes-256-cbc -pbkdf2 -iter 100000 -e > out.tar.gz.enc

Decrypt

 % openssl enc -aes-256-cbc -d -in out.tar.gz.enc | tar xz

Or using gpg

 % gpg --encrypt out.tar.gz

The openssl variant uses symmetric encryption, you would have to tell the receiving party about the used 'password' (aka 'the key'). The gpg variant uses a combination of symmetric and asymmetric encryption, you use the key of the receiving party (which means that you do not have to tell any password involved to anyone) to create a session key and encrypt the content with that key.

If you go the zip (or 7z) route: essentially that is the same as the openssl variant, you have to tell the receiving party about the password.

akira
  • 61,009
  • 17
  • 135
  • 165
  • 29
    For anyone wondering how to decrypt the file with openssl: `openssl aes-256-cbc -d -in out.tar.gz.enc -out decrypted.tar.gz` – ndbroadbent Jan 28 '13 at 22:03
  • 4
    @nathan.f77 that command also shows how to do things without piping them into openssl. `openssl enc -aes-256-cbc -e -in foo.tar.gz -out bar.tar.gz.enc` – Keith Smiley Mar 06 '14 at 23:48
  • 3
    @KeithSmiley if you have large archives and not a lot of space (like it could be on a VPS) it's more space-efficient to pipe. – Andrew Savinykh Jun 02 '14 at 23:15
  • I can't seem to run this on a mac. Is this different in anyway? – eleijonmarck Dec 20 '16 at 20:46
  • 4
    @eleijonmarck provide the part "does not work because "… – akira Dec 21 '16 at 08:34
  • Doesn't work for me between Ubuntu 16.04 and Ubuntu 18.04 machine. Error: "bad decrypt" (and warnings about deprecated key derivation and hints to user -iter or -pbkdf2). Decrypting on the same (16.04) machine works. – Enno Gröper Aug 08 '19 at 06:59
  • @EnnoGröper: i provided 2 ways to encrypt / decrypt. also: provide the used software versions if you expect anyone to solve that issue of yours. – akira Aug 13 '19 at 19:03
  • Is it possible to set a password to encrypt or decrypt with openssl? – Aero Windwalker Mar 24 '20 at 14:12
  • (meaning with a flag, I want to put it in a script...) never mind I figured it out, with -k flag... – Aero Windwalker Mar 24 '20 at 14:19
  • I'm getting this warning: `*** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better.` – Slava Fomin II Jan 22 '21 at 22:26
  • How to open this encrypted file in Windows 11? – Kok How Teh Nov 25 '21 at 06:40
  • Possibly right click -> unzip? – perepm Nov 25 '21 at 09:12
  • 2
    Please be aware that this solution is from 2010! A lot has changed since then. To create a proper encrypted file in 2023 you should add pbkdf2 and iter parameters to the command, e.g. `openssl enc -aes-256-cbc -pbkdf2 -iter 100000`. See https://askubuntu.com/a/1126882/161435 for an explanation of these switches. – nietonfir Jan 26 '23 at 13:04
49

If your intent is to just password protect files, then use the hand zip utility through command line

zip -e <file_name>.zip <list_of_files>

-e asks the zip utility to encrypt the files mentioned in

Working example:

$ touch file_{0,1}.txt # creates blank files file_0 & file_1    
$ zip -e file.zip file_* # ask zip to encrypt
$ ENTER PASSWORD:
$ VERIFY PASSWORD:
$ ls file*
Leo
  • 555
  • 4
  • 15
Antony Thomas
  • 625
  • 5
  • 4
  • 17
    Zip file encryption is not safe in any way. – Kristopher Ives May 02 '14 at 06:55
  • 4
    @KristopherIves can you elaborate on the unsafeness? – tscizzle Jun 02 '16 at 22:26
  • 1
    @tscizzle https://www.unix-ag.uni-kl.de/~conrad/krypto/pkcrack/pkcrack-readme.html – Kristopher Ives Jun 04 '16 at 02:09
  • 6
    @KristopherIves It requires "another ZIP-archive, containing at least one of the files from the encrypted archive in *unencrypted* form" to work. – Franklin Yu Dec 30 '16 at 20:36
  • 7
    "You need to know only a part of the plaintext (at least 13 bytes)". This makes it *much* more vulnerable than if an entire unencrypted file was required (which is already pretty bad). Also, zip encryption is not resistant to brute-force attacks (e.g. with Jack the Ripper). Nobody should be using it for anything serious. – EM0 Jul 24 '17 at 15:41
  • 1
    @EM0 Do you mean ["John the Ripper"](https://www.openwall.com/john/)? – bartolo-otrit Nov 07 '19 at 12:52
  • 1
    Yes, I meant "John the Ripper", thanks. (It took 2 years for someone to notice!) – EM0 Nov 07 '19 at 13:23
25

Here's a few ways to do this. One thing to note is that if you're going to use separate compression and encryption tools you should always compress before encryption, since encrypted data is essentially non-compressible.

These examples compress and encrypt a file called clear_text.

Using gpg

$ gpg -c clear_text #Compress & Encrypt
$ gpg -d clear_text.gpg #Decrypt & Decompress

gpg will compress the input file before encryption by default, -c means to use symmetric encryption with a password. The output file will be clear_text.gpg. One benefit of using gpg is that is uses standard OpenPGP formats, so any encryption software that supports OpenPGP will be able to decrypt it.

Using mcrypt

$ mcrypt -z clear_text #Compress & Encrypt
$ mdecrypt -z clear_text.gz.nc #Decrypt & Decompress

The -z option compresses. By default this outputs a file called clear_text.gz.nc.

Using bcrypt

$ bcrypt -r clear_text #Compress & Encrypt
$ bcrypt -r clear_text.bfe #Decrypt & Decompress

bcrypt compresses before encrypting by default, the -r option is so that the input file isn't deleted in the process. The output file is called clear_text.bfe by default.

Using gzip and aespipe

$ cat clear_text | gzip | aespipe > clear_text.gz.aes #Compress & Encrypt
$ cat clear_text.gz.aes | aespipe -d | gunzip > clear_text #Decrypt & Decompress

aespipe is what it sounds like, a program that takes input on stdin and outputs aes encrypted data on stdout. It doesn't support compression, so you can pipe the input through gzip first. Since the output goes to stdout you'll have to redirect it to a file with a name of your own choosing. Probably not the most effective way to do what you're asking but aespipe is a versatile tool so I thought it was worth mentioning.

Graphics Noob
  • 390
  • 5
  • 9
  • 2 gotchas for the gpg encryption (which got me). 1) when you create the encrypted file, you'll be prompted to choose a password (as expected). Unexpectedly (for me) the password you choose is cached locally, so that if immediately you try to decrypt the file you will NOT be prompted (giving the false impression that your file is not encrypted). Try to open it elsewhere and you will need the pw. 2) default behaviour with --decrypt is to echo the cleartext on screen (bad for binary data or a huge tar), use `gpg --decrypt --output path/to/output-file path/to/encrypted-file` to decrypt to a file. – Daniel Howard Jun 09 '23 at 15:05
24

You can use 7zip to create your password protected archive. You can specify the password on the command line (or in a script) the following way:

7z a -p<password> <someprotectedfile>.7z file1.txt file2.txt

7zip can also read from STDIN as follows:

cat <somefile> | 7z a -si -p<password> <someprotectedfile>.7z

If it's mandatory to use zip files, you might want to play around with the -t<type> parameter (e.g. -tzip).

SaeX
  • 523
  • 7
  • 17
  • 7
    I picked this as the answer because it's the only one that answers the question. The question isn't how to encrypt a message, it's how to password protect an archive. That's all I needed to do. (Gmail was blocking my server backups because it decided there was something unsafe in the attachment, and I just needed to add a password. It doesn't have to be secure.) – felwithe Sep 23 '16 at 16:56
  • Just a note that if you omit `` then 7-Zip will prompt you to type it twice. That should keep it out of your shell history. – mpen May 23 '23 at 00:38
10

Neither tar, gzip, nor bzip2 supports password protection. Either use a compression format that does, such as zip, or encrypt it with another tool such as GnuPG.

Ignacio Vazquez-Abrams
  • 111,361
  • 10
  • 201
  • 247
  • Ah, that explains why I couldn't find anything online. I think I'll go for zip. – morpheous Jul 12 '10 at 13:01
  • Gah!, I'm trying to recursively zip a directory with passwors, and it only creates a zip file with the name foobar as an (empty) directory in it. Here is the command I am using: zip -e foobar.zip foobar. foobar is a non-empty folder in the current directory – morpheous Jul 12 '10 at 13:22
  • 4
    Just like the man says, `-r`. – Ignacio Vazquez-Abrams Jul 12 '10 at 13:24
8

Create with:

tar czvf - directory | gpg --symmetric --cipher-algo aes256 -o passwordprotectedarchive.tar.gz.gpg

It will ask you for a password.

Decrypt with: 

gpg -d passwordprotectedarchive.tar.gz.gpg | tar xzvf -
LHolleman
  • 181
  • 1
  • 1
4

With zip and unzip

Keeping in mind the security issues of password-protected zip files, here's how to encrypt a directory and a file with zip:

zip -r --encrypt archive.zip a_directory a_file

You'll be prompted for a password.

To decrypt the files, you can use unzip:

unzip archive.zip

See this answer to encrypt and decrypt archives with bsdtar.

Matthias Braun
  • 1,162
  • 1
  • 17
  • 29