How secure is 7-zip?

Question

Has its password protection system ever been broken into? Can it be trusted to hold extremely sensitive information?

Answer 1

If you're protecting anything that you would call "extremely sensitive" information, I would definitely not rely on password protection of an archiving program. I would choose something like GPG, which has been designed specifically for protecting sensitive information. Anything less is doing yourself a disservice.

If you do choose to use GPG, be sure to compress the data with 7-Zip first, then encrypt it. Trying to compress data that has already been encrypted will not produce a smaller file.

Answer 2

7zip uses AES-256, so it's high-quality and trustworthy. I think the weakest link would be the need for a password, so if you're very concerned about it you could use public-key cryptography through GPG.

Answer 3

It really depends on how sensitive your data is, and how easy you want this to be.

For highly sensitive information, A great solution would be to have your sensitive data in a physically safe walk-in safe, on a PC that's disconnected from any kind of network, and having the data encrypted an inaccessible from anywhere else (this does not make sense for my use :) ).

I like to use truecrypt, it allows multiple encryptions, and you can edit the file in-place (in a mounted volume, without extracting and returning the files).

Answer 4

As mentioned before 7-zip uses AES-256 which is considered fairly secure, so while the algorithm is secure, the security of your data now depends on the complexity and security of your password and the fact that the implementation of AES-256 within 7-zip is correct.

Depending on your need for security you would have to take measures to secure the encryption key and then decide whose implementation of AES to trust.

Answer 5

Moderation rules to some extent, secured but easy to use... because in the real world:

http://xkcd.com/538/

Answer 6

A few comments on the previous answers:

1) No need to zip files before using GPG. GPG automatically compresses files before encrypting them. However, if you want to send a number of files together then zip them first into a single archive before passing to GPG as GPG can only work on a single file at a time.

2) The AES encryption algorithm used by 7zip doesn't in itself guarantee secure encryption - a point often missed when people say something is "AES-encrypted". AES is a 256-byte block cipher which means it encrypts 256 bytes at a time. Using exactly the same algorithm 256 bytes after 256 bytes makes it much easier to crack and so all good AES algorithms applied to a variable byte length file (or streamed data) vary the algorithm block-by-block. This variation is known as "mode" - see "Block cipher modes of operation" on Wikipedia. I'm afraid I don't know what mode is used by 7zip nor how secure it is.

3) Don't use 7zip repeatedly with the same password. This also makes files easy to crack since patterns can start to be detected across encrypted files. Use a different and complex password for each file. This is where GPG makes life a lot simpler. It uses public key encryption to establish a new symmetric encryption key for each file and to produce various digests. The bulk of the file is then encrypted using the random symmetric key. So each GPG encryption automatically uses a different key or "password".

Answer 7

I downloaded the sources of p7zip (the port for linux). It seems to use the CBC mode of operation with a random initialization vector. I also looked for the quality of key derivation algorithm - it seems to use a salt of 4 bytes and 2^19 iterations of sha256 to produce the encryption keys with your password.

It seems to be a pretty secure encryption.