Encrypting Files

7-Zip

7-Zip is an open source tool for creating archives, compressing them, and encrypting them (much like zip). It has several algorithms for data compression:

  • LZMA – Default; an improved and optimized version of the LZ77 algorithm.
  • LZMA2 – An improved version of LZMA.
  • PPMD – Dmitry Shkarin’s PPMdH with small changes.
  • PCJ – A converter for 32-bit x86 executables.
  • PCJ2 – A converter for 32-bit x86 executables.
  • Bzip2 – The standard BWT algorithm.
  • Deflate – The standard LZ77-based algorithm.

7-Zip also supports AES-256 for encryption and can encrypt file names and directory names.

Using 7-Zip is pretty easy and is very similar to using zip. Here, I encrypt the simple text file hpc_001.html:

[laytonjb@home4 TEMP]$ ls -s
total 7288
 196 hpc_001.html  7092 MFS2007.pdf
[laytonjb@home4 TEMP]$ 7z a -p hpc_001.html.7z hpc_001.html
 
7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,1 CPU)
Scanning
 
Creating archive hpc_001.html.7z
 
 
Enter password (will not be echoed) :
Verify password (will not be echoed) :
Compressing  hpc_001.html      
 
 
Everything is Ok
[laytonjb@home4 TEMP]$ ls -s
total 7308
 196 hpc_001.html    20 hpc_001.html.7z  7092 MFS2007.pdf

The options I used are: a, create archive, and -p, set password. By just specifying -p, 7-Zip (p7zip, the command-line version of 7-Zip) will prompt for the passphrase so that it won’t be copied into the shell history. However, you can input the passphrase on the command line.

A key point to note is that p7zip leaves the original file in place and creates a copy with a .7z extension. This might seem subtle, but it can be important. I like leaving the original file alone because if the encryption process goes sideways, I still have it available. I also like to decrypt the file and do a diff between the original file and the decrypted file. It might seem pointless to do this, but I like to make sure that the encryption and decryption processes worked correctly, AND I remember my passphrase.

To decrypt the file, you just use the -e (extract) option:

[laytonjb@home4 TEMP]$ 7z e hpc_001.html.7z 
 
7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,1 CPU)
 
Processing archive: hpc_001.html.7z
 
 
Enter password (will not be echoed) :
Extracting  hpc_001.html
 
Everything is Ok
 
Size:       198510
Compressed: 18945

As you can tell, p7zip gives you some detail about the decryption of the file. Also don’t forget that as part of the extraction, p7zip also uncompresses the file.

OpenSSL

SSL and its successor TLS were protocols developed to provide communication security over a network using cryptography. You are probably most familiar with the protocol in web browsers for websites beginning with https. You can take advantage of the encryption in SSL or TLS to encrypt your data.

The most common implementation of SSL is OpenSSL, an open-source community project for a full-featured toolkit implement of SSL and TLS, as well as general-purpose cryptography. It was subject of the infamous Heartbleed vulnerability that primarily affected the communication encryption aspect of OpenSSL. The cryptography library aspect of OpenSSL is still extremely useful.

OpenSSL has a number of ciphers, cryptographic hash functions, and public key encryption algorithms.

  • Ciphers
    • AES
    • Blowfish
    • Camellia
    • SEED
    • CAST-128
    • DES
    • IDEA
    • RC2
    • RC4
    • RC5
    • Triple DES
    • GOST 28147-89
  • Cryptographic hash functions
    • MD5
    • MD4
    • MD2
    • SHA-1
    • SHA-2
    • RIPEMD-160
    • MDC-2
    • GOST R 34.11-94
  • Public-key cryptography
    • RSA
    • DSA
    • Diffie–Hellman key exchange
    • Elliptic curve
    • GOST R 34.10-2001

OpenSSL really focuses on encryption and decryption and not compression. Consequently, you shouldn’t expect the encrypted file to be smaller than the original file.

Using OpenSSL requires a few more arguments than the typical encryption tool:

[laytonjb@home4 TEMP]$ ls -s
total 7288
 196 hpc_001.html  7092 MFS2007.pdf
[laytonjb@home4 TEMP]$ openssl aes-256-cbc -salt -in hpc_001.html -out hpc_001.html.enc
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
[laytonjb@home4 TEMP]$ ls -s
total 7484
 196 hpc_001.html   196 hpc_001.html.enc  7092 MFS2007.pdf

The first option I use is aes-256-cbc, which tells OpenSSL to use the 256-bit key with OpenSSL, along with the AES cipher. The -in option specifies the input file, and -out specifies the output (encrypted) file.

The option -salt is added to the command line because it can be very important for improving security. Classically, a salt is a random bit of data that is used as an additional input to a one-way function that hashes the passphrase. It protects against dictionary attacks and against precomputed rainbow table attacks. The reason is that without the salt, the same password always generates the same encryption key. When the salt is used with OpenSSL, the first 8 bytes of the encrypted data are reserved for the salt (i.e., the random bit of data). When the file is decrypted, the salt is read from the encrypted file and used for decryption.

Notice that OpenSSL does not echo the passphrase, so it can’t be captured in the shell history. Also, notice that OpenSSL doesn’t have a standard file extension. I chose .enc to show that the file is encrypted.

As I mentioned earlier, OpenSSL is just an encryption tool. It doesn’t do file compression. Consequently, the file size of the encrypted text file in the previous example is roughly the same as the original text file. OpenSSL can operate on a compressed file as well, but in a step that is done separately:

[laytonjb@home4 TEMP]$ openssl aes-256-cbc -salt -in hpc_001.html.gz \
-out hpc_001.html.gz.enc
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
[laytonjb@home4 TEMP]$ ls -s
total 7336
 196 hpc_001.html.enc    24 hpc_001.html.gz    24 hpc_001.html.gz.enc
7092 MFS2007.pdf

In this case, I used gzip to compress the file before using OpenSSL. Otherwise the process is the same. Notice the size difference between the encrypted compressed file, and the encrypted but uncompressed file.

Decrypting a file is also fairly easy using the -d option on the command line:

[laytonjb@home4 TEMP]$ openssl aes-256-cbc -d -in hpc_001.html.enc -out hpc_001.html.2
enter aes-256-cbc decryption password:
[laytonjb@home4 TEMP]$> ls -s
total 7680
 196 hpc_001.html   196 hpc_001.html.2   196 hpc_001.html.enc
7092 MFS2007.pdf