Encrypting files with 7-Zip takes about 30 seconds once you know the settings, and AES-256 encryption is strong enough for business or personal use.
A single unencrypted file on a shared computer can leak passwords, tax returns, or client contracts. Here is how to encrypt 7-Zip archives the right way — it’s free, uses government-grade encryption, and once you pick the right format and toggle two settings, the process is finished in under a minute.
The version that ships from 7-zip.org uses AES-256 as its default cipher, the same standard banks and healthcare systems rely on. The catchable mistakes — weak passwords, the wrong archive format, a skipped checkbox — are exactly what this article walks through.
What You Need Before You Start
7-Zip runs on Windows 10 and 11 natively. Linux and macOS users can encrypt via the command line or a third-party GUI, but the primary supported environment is Windows. The software is open source and costs nothing.
The only thing you supply is a password. 7-Zip uses AES-256 with no master key or recovery mechanism — if you lose the password, the data is gone permanently. A minimum of 12 characters mixing uppercase, lowercase, and numbers is the baseline for adequate protection against brute-force attacks.
Encrypting Files With 7-Zip: What Each Setting Actually Does
The fastest route is the Windows File Explorer context menu — no need to open the 7-Zip application. Select your files or folders, right-click, and choose 7-Zip > Add to archive to reach the dialog where every encryption decision happens.
Name your archive in the top field. Below it, the Archive format dropdown defaults to 7z, which uses AES-256 automatically. If you switch to zip, you must manually set the encryption method to AES-256 — the default ZipCrypto is weak and should never be used for sensitive data.
In the Encryption section on the right, enter and confirm your password. Check the box labeled Encrypt file names — without it, anyone can open the archive and see the list of files inside even without the password. With it checked, the entire archive header is scrambled and reveals nothing until the password is entered.
Click OK. The encrypted archive appears in the same folder as the originals. Test it immediately by double-clicking it — you should be prompted for the password before you can see any file names.
Command Line Alternative (Linux, macOS, or Advanced Users)
Open a terminal and run 7z a -p -mhe=on archive.7z /path/to/files. The -p flag prompts for the password, and -mhe=on enables header encryption — the command-line equivalent of the “Encrypt file names” checkbox. The decryption command is 7z x archive.7z followed by the password.
How Do You Choose Between .7z And .zip Formats?
The format decision comes down to who needs to open the file. A .7z archive with AES-256 is more secure by default and compresses better, but the recipient must install 7-Zip or a compatible tool. A .zip archive with AES-256 opens natively in Windows without extra software, but only if you remember to change the encryption method from the default.
| Feature | .7z Format | .zip Format |
|---|---|---|
| Default encryption | AES-256 (strong) | ZipCrypto (weak) |
| AES-256 available | Yes, always | Yes, must select manually |
| Encrypt file names | Supported | Not supported |
| Windows native open | No (needs 7-Zip) | Yes |
| Compression ratio | Better (smaller files) | Moderate |
| Best for | Personal archives and sharing with tech-savvy recipients | Sending to colleagues who only use built-in Windows tools |
| Password recovery odds | Zero (AES-256 has no backdoor) | Zero (if AES-256 is used) |
What Happens If You Skip “Encrypt File Names”?
The archive is still password-protected, but anyone who has the file can see the names of every document inside without entering a password. A file named tax_return_2025.pdf or client_nda.docx leaks sensitive context even if the content is encrypted. Checking the box scrambles the entire header — no file names, no metadata, no clues. This is the single most common mistake people make, and enabling it costs zero extra effort.
Common Encryption Mistakes To Avoid
Most encryption failures aren’t caused by the software — they come from small errors in the setup. The table below covers the ones that matter most.
| Mistake | What It Costs You | The Fix |
|---|---|---|
| Using ZipCrypto instead of AES-256 | The archive can be cracked quickly by free tools | Always select AES-256 in the Encryption method dropdown |
| Password under 12 characters | Vulnerable to brute-force attacks | Use at least 12 characters with mixed case and numbers |
| Skipping “Encrypt file names” | File names visible to anyone who sees the archive | Check the box — it’s in the Encryption section |
| Sending password in the same email | One compromised email leaks both file and key | Send the file by email and the password by phone or separate app |
| Never testing the archive | Discover the password doesn’t work after deleting originals | Run 7z x archive.7z and verify it decrypts before deleting anything |
One extra note: 7-Zip encrypts individual files inside an archive. It is not a replacement for full-disk encryption tools like BitLocker or VeraCrypt. If you need to secure a USB drive or an entire laptop, use a dedicated disk-encryption product instead.
Your Encryption Checklist
Follow these six decisions every time you encrypt a file with 7-Zip, and you will never discover a leak after the fact.
- Pick .7z as the format for your own archives or technical recipients; pick .zip with AES-256 for anyone using stock Windows.
- Set a password of 12 characters or more with uppercase, lowercase, and at least one number.
- Check Encrypt file names before clicking OK.
- Move the archive to a different folder than the originals to avoid accidental overwrites.
- Verify the archive opens correctly with your password.
- Send the password through a separate channel — not in the same email as the attachment.
That’s the full process. You now have a password-protected AES-256 archive that can sit on a shared drive, cross a company network, or be emailed without exposing the files inside.
References & Sources
- Red Hat. “Encrypting and decrypting files with 7-Zip.” Covers AES-256 as default encryption and the -mhe=on flag for header encryption.
