AES is the Advanced Encryption Standard, which is the result of a three-year
competition sponsored by the U.S. Government's National Institute of Standards
(NIST). This encryption method, also known as Rijndael, has been adopted
by NIST as a Federal Information Processing Standard.
We support AES encryption in two different strengths: 128-bit AES and
256-bit AES. These numbers refer to the size of the encryption keys that
are used to encrypt the data. 256-bit AES is stronger than 128-bit AES. An
advantage of 128-bit AES is that it is slightly faster than 256-bit AES,
that is, it takes less time to encrypt or decrypt a file.
The security of your data depends not only on the strength of the encryption
method but also on the strength of your password, including factors such
as length and composition of the password, and the measures you take to ensure
that your password is not disclosed to unauthorized third parties.
Note that the compressed file format extension used to store AES-encrypted
files is not supported by most other file compression utilities.
Limitations to be aware of
The AES encryption facility represents a significant advance on previous
encryption methods, and it can help meet the need that many users have for
preventing their confidential information from being viewed by unauthorized
individuals. There are, however, some limitations that you should be aware
Encryption applies only to the contents of files stored within a compressed
file. Information about an encrypted file, such as its name, date, size,
attributes, and compression ratio, is stored in unencrypted form in the file's
directory and can be viewed, without a password, by anyone who has access
to the file.
The encryption method is not the same thing as an authentication method
for the compressed file. Encryption is intended to prevent someone who doesn't
know the correct password from finding out the contents of your encrypted
data. The password is not needed for actions that do not involve decryption
of the encrypted contents of data stored within a file. In particular, encrypted
files can be deleted from a compressed file, or can be renamed within a
compressed file, and new, unencrypted, files can be added to a compressed
file, without a password.
We use password-based encryption, and even a strong encryption algorithm
like AES is of little or no benefit if the passwords you use are weak, or
you do not keep track of them in a secure manner.
We recommend that if you are going to be using the same password to encrypt
very large numbers of files with the AES encryption (that is, files totaling
in the millions, for example 2000 compressed files, each containing 1000
encrypted files) you use 256-bit AES keys rather than 128-bit AES-keys.
Notes on encryption safety
Encryption provides a measure of safety for your sensitive documents,
but even encrypted documents can be compromised (regardless of what software
they were encrypted by). Here are some of the ways this can occur. This is
by no means an exhaustive list of potential risks; it is intended only to
give you an idea of some of the safety issues involved with sensitive
If a keystroke monitor or other malicious code (such as a virus) is running
on your computer, your password may be recorded when you type it. Be sure
to check frequently for viruses and follow other recommended computer safety
If you extract an encrypted file and then delete the file, it may be possible
for someone to later "undelete" the file using file recovery software or
the Recycle Bin.
When you open or view a file from an archive (e.g., by double clicking
it), the uncompress program must extract the file to a temporary location
so that the associated program can open it. If you subsequently close the
uncompress program without first closing the program that is using the file,
the uncompress program may not be able to delete the temporary copy of the
file, thereby leaving it on disk in unencrypted form. The associated program
may also make one or more backup copies of the decrypted file, and the uncompress
program will not be able to delete these. In addition, as described above,
it may be possible for someone to later recover deleted files using file
recovery software or the Recycle Bin.
After adding or extracting encrypted files, some or all of the unencrypted
file contents may remain in your computer's memory or the page swap files
on disk. A malicious user may be able to retrieve this unencrypted
We do not encrypt compressed file comments or, as described above, information
about encrypted files such as their names, dates, etc. Any user with access
to the compressed file can view this information without a password.
You may be able to eliminate some of these exposures using specialized
software such as virus scanners, disk erasers, etc.
Technical information on AES key generation
When you use AES encryption, the passwords that you enter are converted
into keys of the appropriate length (128 bits or 256 bits, depending on the
AES key length that you specify). This is done through the PBKDF2 algorithm
defined in RFC 2898 (also available as Public Key Cryptography Standard #5)
with an iteration count of 1000. We use 8-byte salt values with 128-bit AES
encryption and 16-byte salt values with 256-bit encryption.
One purpose for the "salt" values used with AES encryption is to yield
different encryption keys for each file, even if multiple files are encrypted
with the same password. With the 8-byte salt values used with our 128-bit
encryption it is likely that, if approximately 4 billion files are encrypted
with the same password, two of the files will be encrypted with the same
key. Someone who obtained copies of two files encrypted with the same key
could learn information about their contents, so it is advisable to stay
well below this limit. This is why we recommend that if you are going to
be using the same password to encrypt very large numbers of files with AES
encryption (that is, files totaling in the millions, for example 2000 compressed
files, each containing 1000 encrypted files), you use 256-bit AES keys, which
use 16-byte salt values, rather than 128-bit AES-keys, with their 8-byte
As part of the process outlined in RFC 2898 a pseudorandom function must
be called; we use the HMAC-SHA-1 function for this purpose, since it is a
well-respected algorithm that has been in wide use for this purpose for several
years. The PBKDF2 function repeatedly calls HMAC-SHA-1, which produces a
160-bit hash value as a result, mixing the outputs in a fairly complicated
way, eventually yielding a 128- or 256-bit encryption key as a result.
Note that, if you are using 256-bit AES encryption, the fact that HMAC-SHA-1
produces a 160-bit result means that regardless of the password that you
specify, the search space for the encryption key is unlikely to reach the
theoretical 256-bit maximum, and cannot be guaranteed to exceed 160 bits.
This is discussed in section B.1.1 of the RFC 2898 document.
You should keep the following considerations in mind
when choosing passwords for your files:
In general, longer passwords are more secure than shorter passwords. In
fact, taking maximum advantage of the full strength of AES encryption requires
a password of approximately 32 characters for 128-bit encryption and 64
characters for 256-bit encryption.
Passwords that contain a mixture of letters (upper and lower case), digits,
and punctuation are more secure than passwords containing only letters.
Because you can use spaces and punctuation, you can create "pass phrases"
that are long enough but still easy to remember and type.
Avoid using easily guessed passwords such as names, birthdays, Social
Security numbers, addresses, telephone numbers, etc.
Be sure to keep a record of the passwords you use and to keep this record
in a secure place. We have no way to access the contents of an encrypted
file unless you supply the correct password. Before storing your only copies
of critical information in encrypted form, you should carefully consider
the risks associated with losing or forgetting the passwords involved.