How to Create Encrypted Zip or 7z Archives on Any Operating System

Zip files can be password-protected, but the standard Zip encryption scheme is extremely weak. If your operating system has a built-in way to encrypt zip files, you probably shouldn’t use it.

To gain the actual benefits of encryption, you should use AES-256 encryption. 7z archives support this natively, but you can also encrypt Zip files with AES-256 encryption.

Zip 2.0 Legacy Encryption vs. AES Encryption

There are actually two types of Zip file encryption. The older Zip 2.0 encryption is extremely insecure, while the newer AES encryption is fairly secure.

Unfortunately, many pieces of software — particularly operating systems with built-in support for Zip files — don’t support the newer AES encryption standard. This means that using the Zip password-protection features found in Windows XP, current versions of Mac OS X, and even typical Linux desktops won’t give you securely encrypted Zip files. Even some third-party utilities are reluctant to switch to AES for their Zip encryption as it means those AES-encrypted zip files will then be incompatible with the built-in Zip features in Windows, Mac OS X, and other software.

It’s still possible to get AES encryption with Zip files — but such files will require third-party software to view, anyway. You may just want to use a different archive format, such as 7z. The 7z archive format requires strong AES-256 encryption. Whenever you create a password-protected 7z file, you know that it’s securely encrypted. Really, 7z is great — it came out on top in our file-compression benchmarks. It’s generally on the top of other file compression benchmarks we’ve seen, too.

Windows – 7-Zip

Windows offers a built-in way to create Zip files. Windows XP even offered a way to password-protect and encrypt these Zip files. However, Windows XP used the extremely insecure “standard” zip file encryption algorithm. Even if you’re still using Windows XP, you shouldn’t use this feature. Later versions of Windows dropped the password-protection option entirely.

Nearly every popular encryption utility offers this features. We like 7-Zip, which is completely free and open-source, so it won’t try to nag you for any money.

With 7-Zip installed, you can select some files in a File Explorer or Windows Explorer window, right-click them, and select 7-Zip > Add to archive. Be sure to select the “Add to archive” option, as it gives you the ability to set a password. If you don’t see the menu option here, you can also open the 7-Zip application directly and use it to create an archive.

7-Zip will create a 7z archive by default, but you can also choose Zip. If you do opt to go with Zip, be sure to select the AES-256 encryption method instead of the weaker ZipCrypto method. Enter your password into the provided boxes and click OK to create your encrypted archive file.

Mac – Keka

Mac OS X also provides an easy way to create Zip files from a Finder window, but there’s no way to encrypt a zip file with the graphical user interface. The zip command included with Mac OS X does offer a way to encrypt zip files without using any third-party software. However, like the password-protection feature built into Windows XP, it uses the old and insecure standard zip encryption scheme. If you really wanted, you could use the “zip -e” command in a Terminal on a Mac. However, we strongly recommend against this.

As on Windows, you’ll once again need a third-party file compression app for secure compression. Keka seems to be one of the most well-loved file compression and decompression apps for Mac, and we can recommend it. However, even Keka doesn’t use AES for encrypting Zip files by default. You can get the currently-in-beta version of Keka and enable a hidden option to do this, or just use the standard version of Keka and create encrypted 7z files instead.

Launch Keka, select 7z, and enter a password for your archive. (If you select Zip, be sure you have the correct version of Keka and that you’ve enabled the hidden option above to get the secure encryption.)

Drag and drop one or more files you want to compress onto the Keka window and they’ll be compressed into a 7z file encrypted with the password you provided. You’ll need the password to access the file’s contents in the future.

Linux – File Roller with p7zip-full

The standard Archive Manager (File Roller) application included with Ubuntu and other GNOME-based desktop environments does have an option to create password-protected zip files. However, the underlying zip command used still uses the old, weak encryption instead of strong AES encryption. Thankfully, File Roller can be used to create encrypted 7z archives.

To enable this option, you’ll first need to install the p7zip-full package. (On some Linux distributions, it may just be called p7zip instead.) For example, on Ubuntu, you can either open the Ubuntu Software Center, search for p7zip-full and install it, or open a Terminal window and run the sudo apt-get install p7zip-full command.

Once you have, you can create encrypted 7z files directly from the File Roller window. Select some files in a file manager window, right-click them, and select Compress — or open the Archive Manager application directly and use it to create a new archive.

In the Compress window, be sure to select the 7z archive format. Click the Other Options header and provide a password. The password will be used to unlock your archive later.

There are many different software programs for creating password-protected archives, but — whatever you use — be sure it’s using secure encryption. The problem with Zip encryption isn’t purely theoretical. The web is full of tools that can “recover” a password-protected zip file that was created using the old encryption scheme. “Recover” is a less-scary word for breaking and removing the encryption.

RHEL 6 Tips and Tricks

Ulimit settings and SSH logins

On a RHEL5/6 server ulimit setting was not applied when I looged in using SSH. No matter what I did the setting remained the same. Doing a “su – ” to a user, however, worked like a treat. Strange! I did a bit of googling and found the following answer to my problem:

1. In /etc/pam.d/sshd add the line

session   required   pam_limits.so

2. In /etc/pam.d/login add the line

session   required   pam_limits.so

3. In /etc/ssh/sshd_config add

   UsePAM yes

(this might already be in place in your config file – I’m not using a stock sshd_config)

4. reload SSH

  /etc/init.d/sshd restart

Now change something in /etc/security/limits.conf

user1        soft        nofile         2048
user1        hard       nofile         4096

Log in as user1 – and voila!

ulimit -n should now show 2048 and ulimit -nH 4096

VSFTP (Very Secure FTP)

Configuration variables to note

chroot_local_user If set to YES, local users will be (by default) placed in a chroot() jail in their home directory after login

chroot_list_enable If activated, you may provide a list of local users who are placed in a chroot() jail in their home directory upon login. The meaning is slightly different if chroot_local_user is set to YES. In this case, the list becomes a list of users which are NOT to be placed in a chroot() jail. By default, the file containing this list is /etc/vsftpd.chroot_list, but you may override this with the chroot_list_file setting.

userlist_enable If enabled, vsftpd will load a list of usernames, from the filename given by userlist_file. If a user tries to log in using a name in this file, they will be denied before they are asked for a password. This may be useful in preventing cleartext passwords being transmitted. See also userlist_deny.

userlist_deny This option is examined if userlist_enable is activated. If you set this setting to NO, then users will be denied login unless they are explicitly listed in the file specified by userlist_file. When login is denied, the denial is issued before the user is asked for a password.

passwd_chroot_enable If enabled, along with chroot_local_user , then a chroot() jail location may be specified on a per-user basis. Each user's jail is derived from their home directory string in /etc/passwd. The occurrence of /./ in the home directory string denotes that the jail is at that particular location in the path.

vsftpd.conf contents:


# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# The target log file can be vsftpd_log_file or xferlog_file.
# This depends on setting xferlog_std_format parameter
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# The name of log file when xferlog_enable=YES and xferlog_std_format=YES
# WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log
#xferlog_file=/var/log/xferlog
#
# Switches between logging into vsftpd_log_file and xferlog_file files.
# NO writes to vsftpd_log_file, YES to xferlog_file
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Authorized Use Only.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd whith two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd/userlist_file
passwd_chroot_enable=YES

/etc/hosts.allow entry for tcp wrappers

## Allow vsftp from wdc-ndmftpgw1
vsftpd:10.192.76.70

The two users that are authorized to access vsftpd is ndmftp-p
(wdc-ecdobatch01, wdc-ecdobatch02) and ndmftp-t (wdc-ecdobat01tst)

/etc/passwd entry for user ndmftp-p on wdc-ecdobatch01 and wdc-ecdobatch02

ndmftp-p:x:100034:65208:wdc-ndmftpgw Generic PROD Account:/dst/informa/prod/transfer/./ndmftpgw:/bin/ksh

/etc/passwd entry for user ndmftp-t on wdc-ecdobat01tst

ndmftp-t:x:100035:65208:wdc-ndmftpgw Generic TEST Account:/dst/informa/test/transfer/./ndmftpgw:/bin/ksh

Note: The '.' in the user's home directory path denotes where the chroot begins.

RHEL-ESX - Dynamic Memory Activation

Many times, memory increases may be needed on a RHEL guest running under ESXi. Typically administrators would schedule a time to perform a reboot to make the memory active and visible to the RHEL guest. The following helper script will assist in making this an online/inline change, no longer requiring a reboot of the guest.

Dynamic Memory Activation in ESXi for RHEL Guests

if [ "$UID" -ne "0" ]
then
echo -e "You must be root to run this script.\nYou can 'sudo' to get root access"
exit 1
fi

for MEMORY in $(ls /sys/devices/system/memory/ | grep memory)
do
SPARSEMEM_DIR="/sys/devices/system/memory/${MEMORY}"
echo "Found sparsemem: \"${SPARSEMEM_DIR}\" ..."
SPARSEMEM_STATE_FILE="${SPARSEMEM_DIR}/state"
STATE=$(cat "${SPARSEMEM_STATE_FILE}" | grep -i online)
if [ "${STATE}" == "online" ]; then
echo -e "\t${MEMORY} already online"
else
echo -e "\t${MEMORY} is new memory, onlining memory ..."
echo online > "${SPARSEMEM_STATE_FILE}"
fi
done

Script Description

The script traverses the filesystems looking for the memory entries located in /sys/devices/system/memory. Each entry under this filesystem represents a memory address with status information located within the directory found. The script then traverses the found memory locations and checks the value contained in the file state. If the value contained is online, then that is active already. Otherwise, the script sets the value of state to online.

Creating Init Scripts for RHEL

The expected procedures for creating init scripts in RHEL, located in /etc/init.d, are as follows:

1. The script must be compliant with chkconfig - the configuration utility for run-level services in RHEL
         1. The script must contain the proper heading information to allow chkconfig to process the script for               run-level service
                      chkconfig script heading example
                      format chkconfig runlevel start order, stop order
                      description must contain text!
                    # chkconfig: 3 25 15
                    # description: Start/Stop the script at boot time

          2. Example script for PatrolAgent
              PatrolAgent
              #!/bin/ksh
              #
              #Added 06/12/2002 by OSG for BMC Patrol 3.5.30
             #
             #This starts the Patrol Agent on port number 2112 during system startup
             #
              #
             #
            # chkconfig: 3 25 15
             # description: Start/Stop the Patrol Agent at boot time


             case $1 in
              'start' )
             su - patrol -c "/var/patrol/Patrol3/PatrolAgent -p 2112 >/dev/null 2>&1"
              ;;

             'stop' )
             kill `ps -ef | grep PatrolAgent | awk '{print $2}'`
              ;;

             * )

             echo "error:syntax service PatrolAgent start/stop"

             ;;

            esac

           exit 0

         

2. The script needs to be copied to /etc/init.d, owned by root, and file access permissions of 755
Ownership and File Access Permissions
chown root:root /etc/init.d/<script name>
chmod 755 /etc/init.d/<script name>

3. Finally, the script needs to be added as active to the run-level service

Activate Run-Level Script chkconfig --add <script name>

Example Partition Creation

To begin, you will need to determine what devices are being used for LVM:

[root@system /]# pvscan
PV /dev/cciss/c0d0p2 VG rootvg lvm2 [17.56 GB / 352.00 MB free]
Total: 1 [17.56 GB] / in use: 1 [17.56 GB] / in no VG: 0 [0 ]
[root@system /]#

pvscan shows that on this system, we are working with device /dev/cciss/c0d0. Most systems will have something similar to /dev/sda. pvscan also shows that there is 17.56 GB allocated and 352 MB free.
The next step is to create a usable partition:

[root@system /]# parted
GNU Parted 1.8.1
Using /dev/md0
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted)

Run select to use the right device from pvscan:
(parted) select

New device? [/dev/md0]? /dev/cciss/c0d0
Using /dev/cciss/c0d0
(parted)
Get information about the current partitions by running print:
(parted) print

Model: Compaq Smart Array (cpqarray)
Disk /dev/cciss/c0d0: 73.4GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 32.3kB 263MB 263MB primary ext3 boot
2 263MB 19.1GB 18.9GB primary lvm

(parted)
We will be creating a new partition using mkpart. To get help for mkpart, type help mkpart:
(parted) help mkpart
mkpart PART-TYPE [FS-TYPE] START END make a partition

PART-TYPE is one of: primary, logical, extended
FS-TYPE is one of: ext3, ext2, fat32, fat16, hfsx, hfs+, hfs, jfs,
linux-swap, ntfs, reiserfs, hp-ufs, sun-ufs, xfs, apfs2, apfs1, asfs,
amufs5, amufs4, amufs3, amufs2, amufs1, amufs0, amufs, affs7, affs6,
affs5, affs4, affs3, affs2, affs1, affs0
START and END are disk locations, such as 4GB or 10%. Negative values
count from the end of the disk. For example, -1s specifies exactly the
last sector.

mkpart makes a partition without creating a new file system on the
partition. FS-TYPE may be specified to set an appropriate partition ID.
At the moment mkpart does not support ext3 file systems.
(parted)
Start the new partition from the end of the last partition.

(parted) mkpart primary 19.1G 30G
(parted)

To validate the new created partition, type print:

(parted) print

Model: Compaq Smart Array (cpqarray)
Disk /dev/cciss/c0d0: 73.4GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 32.3kB 263MB 263MB primary ext3 boot
2 263MB 19.1GB 18.9GB primary lvm
3 19.1GB 30.0GB 10.9GB primary

(parted)

Notice that the total size created is ~11 GB.
Finally, we must set the flag for lvm:

(parted) set 3 lvm on

(parted) print

Model: Compaq Smart Array (cpqarray)
Disk /dev/cciss/c0d0: 73.4GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 32.3kB 263MB 263MB primary ext3 boot
2 263MB 19.1GB 18.9GB primary lvm
3 19.1GB 30.0GB 10.9GB primary lvm

(parted)

Type quit to exit parted:

(parted) quit