PeaZip is a free file archiver especially focused on security, which supports reading and writing (encryption and decryption) of many strong encryption standards, optionally using 2FA two factor authentication (password and keyfile) for increased security against means like social engineering or dictionary based attacks (that can considerably reduce the effort of brute-forcing a textual password or passphrase).

Purposes of file encryption

Use of end-to-end cryptography, in which sender and recipient are in charge of encrypting and decrypting the encoded data, is strongly recommended each time sensitive data is sent to (or through) external servers, even if the service is advertised implementing cryptography measures.
In example, creating encrypted mail attachments (and to encrypt uploads to cloud services) preserve data secrecy against any unauthorized access to user's private information and data even in case the service is compromised, either by successful attack, insider breach, or plain change of policies granting access to unwanted subjects: to open and extract the encrypted file will always require the encryption password to be known.

Encryption algorithms supported by PeaZip

Cryptographic protocols supported by PeaZip free encryption utility for writing (creating password protected archives) are:

• 7Z

• 7-Zip / p7zip AES256-based encryption

• ZIP / ZIPX
  

• WinZip AE (Advanced Encryption), AES256-based

• ZipCrypto, for legacy compatibility purpose only as the algorithm is considered weak under today's standards, not recommended to protect sensitive data
  
• ARC
  
• FreeARC ARC format implementing encryption scheme that supports AES256, AES contest finalists Twofish256 and Serpent256 algorithms, and classic Blowfish algorithm
• PEA
• PeaZip's native .pea file format, supporting AES, Serpent and Twofish (128 and 256 bit) EAX-mode authenticated encryption, enforcing cryptographically strong data secrecy and verifiable autenticity. Also, PEA format can use cascaded AES, Serpent and Twofish - all the data will be encrypted and authenticated by all the trhree cyphers.
  
• RAR, if WinRar is installed in the system
  
• RAR4 AES128-based encryption
• RAR5 AES256-based encryption
• ZPAQ
• ZPAQ AES256-based encryption
  

PeaZip free encryption utility supports (read-only) decryption of ACE archives.

Read more about data encryption: NIST Information Technology Portal, IACR Cryptology archive, Wikipedia entry for encryption, view description of Advanced Encryption Standard finalists: Rijndael/AES, Twofish, and Serpent ciphers.

Read about how quantum computing would likely affect symmetric key encryption algorithms employed in PeaZip, under current understandings of quantum computing technology, on Post-quantum computing cryptography analysis

How are passwords managed in PeaZip

How are passwords handled in PeaZip

Passwords are entered in PeaZip and kept only for the current session of the app - until the app is closed..
Unchecking option “Keep password for the current session” (in password prompt) is more restrictive as it resets the password each time a new archive is opened.
Passwords are kept in memory, unless the system decides to save app’s memory in a paging file - preventing this is beyond the possibility of the app.

By default passwords are then sent, ephemerally, to the backend binaries (handling each specific archive format) stdin of the process, without sending them as command line parameters.
This is safer because sending passwords as command line parameters makes them visible, and logged, in the user’s process table and possibly console history, which (depending on the host system configuration) may not met the security requirements desired by the user.

Exceptions where the password is sent as command line parameter

• If it is not possible to use stdin input for the target backend binary
• This exception does apply to FreeArc, Pea, and Zpaq, legacy UnACE and UnRar5 plugins, and custom arbitrary binaries
• This exception does NOT apply to 7z/p7zip (7Z, 7Z sfx, ZIP, ZIPX, RAR extraction) and WinRar (external, RAR compression)
• Always when using Console mode or GUI+Console mode option (Settings, Advanced tab Backend binaries option group),
• Always when saving the task as command line script (Console tab in extraction and archiving screens). In this case it is also needed to securely handle the saved script file in order to not make it accessible to attackers.

“Force typing password interactively” option (in password dialog) disables entering password in PeaZip app so password are never in app’s memory for any time, nor passed to backend binaries by any means - please note this will also disable browsing archives with encrypted TOC from PeaZip’s file browser.
When this option is checked passwords are directly typed in each backend binary - for any backend binary, and overriding any other PeaZip setting.
This mode can also be used to work with binaries that, for any reason, would not work with PeaZip passing password through pipes.

Console scripts generated with this option checked will require to interactively type passwords, and will never result in having passwords saved in them.

Limitations:

• In this mode it is not possible to browse archives with encrypted TOC
  
• Zpaq backend does not accept password interactively, in this case password will not be asked nor passed in any way

Characters allowed in passwords

All characters are allowed in passwords, and it is strongly recommended to mix uppercase, lowercase, numbers and symbols, alongside relying on long password / passphrases which cannot be trivially linked to the user by social engineering, nor likely to be recovered with a dictionary attack.
However as extra safety measure PeaZip checks the password field to avoid using quote character(s: this would make more difficult to check exported scripts (from Console tab in extraction and archiving screens) to detect if special characters in the password are correctly and safely escaped.
On Windows the warning is issued if “ double quote character is used, on non-Windows systems only if both ‘ single quote and “ double quote characters are used.
“Force typing password interactively” option (in password dialog) disables this check so any character can be used.

How to create encrypted 7Z PEA RAR ZIP archives

Create a new encrypted archive

To create an encrpted file archive (password protect files within archives), chose an archive type supporting encryption, as ZIP, 7Z, ARC, PEA, and ZPAQ, add files to the archive being created as explained in the FAQ page, then click on the padlock icon to set a password and optionally a keyfile for the archive - the icon is in the status bar in the file/archive browser, and under the output file name in the archive creation interface.

Please note the password will be applied to the objects that will be added to the archive in the current operation - 7Z, ARC, ZIP, and ZIPX archives support file level encryption (supports mutiple encryption passwords), so each file in an archive could have, if desired by the archive creator, a different password - so applying a password to an existing archive will not affect it (will not apply password protection to already archived files).

Encrypt an already existing archive

To password-protect an already existing archive you need to extract and rebuild it, applying the desired password.
Archive conversion interface can help automating the task.

Manage encryption passwords

PeaZip's password manager is available from main menu, Tools > Password manager.
The password list file is saved in private user's path, allowing each user to maintain a personal password manager containing different passwords or passphrases not accessible to other standard users of the same system.
Optionally, the user can decide to encrypt the password list with a master password, making the passwor manager private even to administrative accounts of the same machine, being the data file unreadable until the correct password is provided.

Some archive types, like 7Z and ARC, support encrypting files names of items added to the archive: in this case it will not even be possible to see the list of archive's content, file and directory names (in case the very names expose sensitive information), without knowing the password. This option is available in Password dialog - PEA and ZPAQ formats will always encrypt name of files inside an encrypted archive.

Chose the encryption algorithm

In "Advanced" tab of archive creation interface users can chose encryption method to apply to the archive: by default the recommended method will be displayed.
Read more about how to create encrypted 7Z archives, encrypt PEA archives with AES, Twofish, or Serpent, create password protected RAR files with PeaZip if WinZip in featured on the same machine, encrypt ZIP files, create encypted ZPAQ archives.

Synopsis: How to encrypt 7Z PEA RAR ZIP files. Use PeaZip free file encryption utility to create encrypted archives, apply AES Twofish Serpent strrong cyphers. What is strong file encryption meaning. How to set password protection to archive files.

Topics: what is strong encryption, how to encrypt files, create encrypted archives with PeaZip

PeaZip > FAQ > Free encryption software, encrypt 7Z PEA RAR ZIP files