The discussion of "compress and then encrypt, or vice-versa" led me to ponder the following question: many compression containers, like ZIP, 7z, and rar support encrypting these containers. For example, when creating a 7z file in 7-Zip, the program lets you enter an encryption password.
For these file types, are the files compressed and then encrypted, as recommended in the aforementioned question, or the reverse? Or, is there some way that these can compress and encrypt the data at the same time?
When I create an encrypted 7z file, I can view the filenames inside of the encrypted archive, but I cannot view the contents of those files without entering the passphrase. How is this possible? As an aside, is there any way to encrypt a 7z or similar archive such that the file names and directory structure within are not visible without using the passphrase?
I would prefer answers with definitive sources/references, not just speculation. We can all make guesses about this, but if somebody can show me documentation proving that it works one way or another, that would be ideal.
Best Answer
I would assume that 7-Zip and other archiving tools compress before they encrypt, for the reasons stated in the linked blog post. But I was unable to find any documentation that confirms that, nor could I immediately ascertain it from looking at the 7-Zip source code.
However, I can explain why filenames aren't encrypted. As you might be aware, the 7z format contains a header with the file information and other metadata. 7-Zip will not encrypt this header unless you explicitly enable it. You can do this by checking the Encrypt file names box at the bottom of the Encryption segment of the archive creation screen on Windows, highlighted in red below.
On Linux and other Unix-like operating systems (and presumably the command line 7-Zip tool on Windows), you can enable header encryption by adding a
-mhe=onswitch to the7zcommand.