ZipToolView zip files online — 100% private

How to Password Protect a Zip File

To password protect a zip file, create the archive with a tool that supports strong AES-256 encryption, enter a password, and choose AES-256 (not the legacy ZipCrypto) as the encryption method. 7-Zip is the most reliable cross-platform option: right-click the files, choose 7-Zip > Add to archive, set the format to zip, type a long password, and set the encryption method to AES-256. WinRAR and Keka do the same job.

The catch most people hit is that not every "password" option is equal. Zip files support two unrelated encryption schemes: the old, weak ZipCrypto, and the strong, modern AES-256. macOS's built-in Compress and the zip -e command use the weak one, and Windows Explorer has no strong zip encryption at all. This page shows the reliable way to make a properly encrypted archive, how to open one, and the honest limits you need to know.

The two kinds of zip encryption: ZipCrypto vs AES-256

Zip files can encrypt their contents two completely different ways, and which one you get determines whether your data is actually protected.

ZipCrypto (sometimes called "traditional" or "classic" zip encryption) is the original, built into the format decades ago. It is weak. It is vulnerable to known-plaintext attacks, where an attacker who can guess or obtain one unencrypted file inside the archive can recover the password and unlock everything. Tools like bkcrack turn this into a practical attack. Treat ZipCrypto as obfuscation, not protection, and never use it for anything sensitive.

AES-256 is strong, modern encryption. It was added to zip later through the WinZip AES extension and is supported by 7-Zip, WinRAR, Keka, and WinZip. It uses salt and password-based key derivation to resist dictionary and brute-force attacks, and it has no practical known-plaintext weakness. For any real protection, use AES-256.

  • ZipCrypto: the legacy default, weak, vulnerable to known-plaintext attacks (e.g. bkcrack) — avoid for sensitive data
  • AES-256: the WinZip AES extension, supported by 7-Zip, WinRAR, Keka, WinZip — the one to use
  • AES-256 uses salt and key derivation, so it resists dictionary and brute-force attacks far better than ZipCrypto
  • A zip can technically mix the two per entry, but pick AES-256 for everything and stop thinking about it

Create a password-protected zip with 7-Zip (recommended)

7-Zip is free, open-source, and the most reliable way to make an AES-256 zip that opens correctly on Windows, macOS, and Linux. Install it from 7-zip.org, then follow the steps below.

On Windows, select the files or folder you want to archive, right-click, and choose 7-Zip > Add to archive. In the dialog, set Archive format to zip, type a strong password in the password fields, and under Encryption set the Encryption method to AES-256. Tick Encrypt file names if you want the file listing itself hidden until the password is entered. Click OK and 7-Zip writes an encrypted archive.zip.

On macOS, install 7-Zip (there are native builds such as 7-Zip for Mac, or you can use Keka, below). The same steps apply: Add to archive, format zip, password, AES-256. On Linux, use the command line (below). The resulting .zip opens in 7-Zip, WinRAR, WinZip, and Keka on any platform; the password and AES-256 are the only things the recipient needs.

  • Right-click the files > 7-Zip > Add to archive
  • Set Archive format to zip
  • Enter a long, random password
  • Set Encryption method to AES-256 (not ZipCrypto)
  • Tick Encrypt file names if you want to hide the file list as well as the contents
  • Click OK; the resulting .zip opens in 7-Zip, WinRAR, WinZip, and Keka on any OS

Using WinRAR, Keka, and other GUI tools

WinRAR (Windows) can create AES-encrypted zips, but it does not default to AES for zip files — it defaults to legacy ZipCrypto. Right-click the files > Add to archive, set Archive format to ZIP, click Set password, enter the password, and explicitly check Zip encryption: AES-256 (or set the encryption method to AES) before you click OK. If you skip that step you will get weak ZipCrypto, so always confirm.

On macOS, Keka is the friendliest option. Drag your files onto Keka, choose zip as the format, enter a password, and make sure AES-256 is selected. Keka avoids the macOS limitation below because it does not use the weak built-in encryption. WinZip (Windows and macOS) also supports the AES extension and is a fine paid choice. Whatever tool you pick, confirm the encryption method actually says AES-256, not "ZipCrypto" or "legacy."

The macOS limitation (and the Windows one)

This trips people up constantly. On a Mac, the built-in Compress menu item (Finder > right-click > Compress "items") makes an unencrypted zip. The terminal command zip -e archive.zip files does prompt for a password, but it encrypts with legacy ZipCrypto, not AES. For anything sensitive, neither option is good enough.

For strong encryption on macOS, use 7-Zip, Keka, or another tool that explicitly supports AES-256. The same is true on Windows: Windows Explorer has no built-in strong zip encryption. Right-clicking > Send to > Compressed (zipped) folder makes an unprotected archive, and there is no password option at all. You need 7-Zip, WinRAR, or a similar tool.

  • macOS Finder > Compress produces an unencrypted zip
  • macOS zip -e prompts for a password but uses weak ZipCrypto, not AES
  • Windows Explorer's Compressed (zipped) folder has no password option at all
  • For real encryption on either OS, use 7-Zip, WinRAR, Keka, or WinZip

Command line: zip -e vs 7z

From a terminal, the built-in zip command with the -e flag prompts for a password but, like macOS, encrypts with legacy ZipCrypto: zip -e archive.zip file1 file2. Fine for deterring casual snooping, not for protecting secrets.

For AES on the command line, use 7-Zip's 7z command: 7z a -tzip -pYOURPASSWORD -mem=AES256 archive.zip file1 file2. The -tzip forces zip format (7z can also make .7z archives, which default to AES-256), -p sets the password, and -mem=AES256 selects the encryption method. Add -mhe=on to encrypt the file names as well as the contents (header encryption). On Linux you typically install it as the p7zip or p7zip-full package.

  • zip -e archive.zip files — prompts for a password, but uses weak legacy ZipCrypto
  • 7z a -tzip -pYOURPASSWORD -mem=AES256 archive.zip files — creates an AES-256 encrypted zip
  • Add -mhe=on to encrypt file names too (so the listing is hidden without the password)
  • On Linux install the p7zip / p7zip-full package to get the 7z command

How to open a password-protected zip

Opening an encrypted zip is straightforward in any tool that supports the encryption it used. In 7-Zip, double-click the archive, double-click a file to preview or select Extract and enter the password when prompted. In WinRAR and WinZip, the same: open the archive, and the password dialog appears when you try to view or extract an entry.

On macOS, the built-in Archive Utility does not support AES-encrypted zips well and will often fail or silently refuse; use The Unarchiver, Keka, or 7-Zip instead. On Windows, the OS prompt that appears for some zip types only understands legacy ZipCrypto, so an AES-encrypted archive will reject the password even when it is correct — open it in 7-Zip or WinRAR. If a password is rejected on an archive you know is right, the tool does not support the encryption method; switch tools.

  • 7-Zip: open the archive, extract or preview, enter the password when prompted
  • WinRAR / WinZip: open the archive, password dialog appears on view or extract
  • macOS Archive Utility does not handle AES reliably — use The Unarchiver, Keka, or 7-Zip
  • Windows Explorer only understands legacy ZipCrypto — an AES zip will reject a correct password there; use 7-Zip or WinRAR
  • If the right password is rejected, the tool lacks the encryption method, not the password

Can ZipTool open encrypted zips?

Honestly, no. ZipTool is a client-side zip viewer: it parses archives in the browser so the contents never get uploaded, but it does not handle password entry or decryption for encrypted entries, and it does not create or extract archives. A zip whose entries are encrypted cannot be previewed there, because there is no step to supply and apply the password.

Where ZipTool does fit is viewing unencrypted archives privately — browsing the file tree, searching, and previewing code, images, audio, video, and PDFs without the file leaving your browser. For inspecting a sensitive archive without spreading copies around, and for the broader picture on client-side vs server-side handling, see security and privacy. To create a plain (unencrypted) archive first, see how to create a zip file. For the rest of the how-to guides, start at how to.

Security tips that actually matter

A few choices decide whether your encrypted zip is genuinely protected or just looks protected.

Use AES-256, not ZipCrypto. This is the single most important choice; a strong password behind weak encryption is still weak. Generate a long, random password (16+ characters, mixed case, digits, symbols, ideally from a password manager) and share it through a different channel than the file itself — never in the same email or message. Turn on file-name / header encryption (Encrypt file names in 7-Zip) when you want the listing hidden, not just the contents. And remember there is no recovery: if you lose the password, the contents are gone.

  • Use AES-256, never legacy ZipCrypto, for anything sensitive
  • Use a long, random password (16+ characters) from a password manager
  • Share the password through a different channel than the archive
  • Enable Encrypt file names / header encryption if the file list is itself sensitive
  • There is no password-recovery backdoor: if you lose the password, the contents are gone

Frequently asked questions

How do I password protect a zip file?

Right-click the files, choose 7-Zip > Add to archive, set Archive format to zip, type a long password, and set the Encryption method to AES-256. Click OK. The resulting .zip opens in 7-Zip, WinRAR, WinZip, and Keka on Windows, macOS, and Linux with the same password. Avoid the built-in macOS zip -e and Windows Compressed folder options, which either use weak ZipCrypto encryption or no encryption at all.

What is the difference between ZipCrypto and AES?

ZipCrypto is the original, built-in zip encryption and is weak — it is vulnerable to known-plaintext attacks (practical with tools like bkcrack), so treat it as obfuscation rather than protection. AES (specifically AES-256 via the WinZip AES extension) is strong, modern encryption that uses salt and key derivation to resist brute-force and dictionary attacks, and it has no practical known-plaintext weakness. Always choose AES-256, which 7-Zip, WinRAR, Keka, and WinZip all support.

How do I open a password-protected zip?

Open it in a tool that supports the encryption it used. In 7-Zip, double-click the archive and enter the password when you extract or preview a file; WinRAR and WinZip behave the same way. Note that macOS Archive Utility does not handle AES reliably, and Windows Explorer only understands legacy ZipCrypto, so an AES-encrypted archive may reject a correct password in those built-in tools. If the right password is refused, switch to 7-Zip or WinRAR.

Can I recover a lost zip password?

No, there is no built-in backdoor. Zip encryption (both AES-256 and legacy ZipCrypto) has no master key or recovery mechanism, so if you lose the password the contents are effectively gone. With AES-256 and a strong password, brute-forcing it is infeasible. You can try dictionary attacks with tools like hashcat or John the Ripper, but against a long random password they will not succeed in any realistic time. Store the password in a password manager.

Is zip encryption secure?

AES-256 zip encryption is secure for protecting the confidentiality of archive contents, as long as you use a long random password and share it separately from the file. It has no practical cryptographic weaknesses today. Legacy ZipCrypto is not secure and should be avoided for anything sensitive because of known-plaintext attacks. Note that encryption protects confidentiality only — it does not make a malicious file inside the archive any less malicious once the password is entered and the file is extracted and run.

Does macOS or Windows have built-in zip password protection?

Not strong one. On macOS, Finder's Compress makes an unencrypted zip, and the terminal zip -e command uses weak legacy ZipCrypto rather than AES. On Windows, the built-in Compressed (zipped) folder has no password option at all. For real AES-256 encryption on either system, install 7-Zip, WinRAR, Keka (macOS), or WinZip.