In a previous posting on Which is a safe way to transfer a copy of a sensitive document?, I have received suggestions to compress and encrypt an attachment file using the options of utilities such as zip, rar, 7zip and suchlike.
Although the specifics are not important here, the manual page of zip alerted me that there is much more to it than choosing a compression utility and send. Very seriously, the page zip is cautious to the point of hinting that you are not getting any serious encryption (emphasis added)
-P password --password password
Use password to encrypt zipfile entries (if any). THIS IS INSECURE! Many multi-user operating systems provide ways for any user to see the current command line of any other user; even on stand-alone systems there is always the threat of over-the-shoulder peeking. Storing the plaintext password as part of a command line in an automated script is even worse. Whenever possible, use the non-echoing, interactive prompt to enter passwords. (And where security is truly important, use strong encryption such as Pretty Good Privacy instead of the relatively weak standard encryption provided by zip‐ file utilities.)
Forewarned is forearmed. I have browsed/scanned several postings in this community such as
- How can I encrypt compressed data safely?
- Encrypted password inside compressed archive
- Does password protecting an archived file actually encrypt it?
- Is it easier to crack a ZIP file than a 7z archived file given they have the same password?
- Various questions about file compression and encryption regarding hacking (zip, rar, 7z)
- Which is more effective and 'secure': Compression+Encryption, or only Encryption?
It is a lot of (interesting, well-presented) information, and the problem has many dimensions: compression utility, encryption algorithms, archive handler, perhaps many more. The drawback there is that I am a lay, moderately computer-savvy user, who faces the problem of choosing a compression utility that should have the following features:
- be OS-agnostic. I am principally a Linux user, but I cannot afford making assumptions on which OS the mail recipient is using -- it'll probably be a Windows family member, although not necessarily -- I might wish to dual-boot on Windows one-off to bridge this gap;
- produce an encrypted file that is archive-handler agnostic. Likewise, I don't know which archive handler the recipient is using -- it'll probably be a Windows Explorer of sorts, but not necessarily;
- provide serious security; any perfunctory scrambling or placebo is obviously a waste of time;
- produce a file that is relatively handy to decompress and decrypt; I cannot make assumptions on how lay and computer-savvy the recipient is. He/she might even be someone for whom installing a new program can be taxing, assuming that his/her employer permits this in the first place.
Apparently, I need some guideline to navigate this problem and choose what to do for an informed guess.
Is there any 'self-aid' wiki resource that you would recommend to find what one is heading for when using this or that utility? Any other suggestions ideas allaying these sorts of headache?