Archive, Compress, and Password-Protect Your Files With Automator

4 minute read
| Deep Dive

Here at The Mac Observer, we’re frequently asked how someone can bundle a handful (or a bunch) of files, compress them, and then password protect them. I’ve got an answer for that, using Automator and some magic in the form of bash shell scripting. It’s a hacksaw approach to what some might say is a job for a scalpel, but it works and it provides a level of protection that I don’t think you’ll find in any off-the-shelf solutions. It’s fun, too, and it’s probably the most secure method to password-protect your files.

password-protect your files

This handheld cipher was just the beginning. Let’s see how you can digitally encrypt and password-protect your files using some Automator help

The Problem with Using Zip to Password-Protect Your Files

I’ll get this question out of the way: “Why don’t I just use a password-protected zip file?” The short answer is that when you password-protect your files with zip, it is not much better than not using a password at all. The longer answer is that the level of security offered is easily bypassed, because the zip command included with macOS doesn’t use very strong encryption.

Here’s a bit of background. AES (Advanced Encryption Standard), an algorithm developed by two Belgian cryptographers, is the de facto standard for encrypting files . AES supports encryption keys that are 128, 192, and 256 bits in complexity. The United States government uses this form of encryption, as do security-conscious folks around the world. It’s been around since 2001.

The version of zip included with macOS is by Info-Zip, version 3.0, and was released in 2008. It’s almost ten years old, and most importantly, it does not utilize AES encryption. The recommended minimum level of encryption suggested for protecting sensitive files and documents is AES–128, and zip doesn’t even support that.

So, long story short, I won’t be showing you how to implement a one-click solution that zips your files (using zip) and password-protects them.

The Sledgehammer Approach

Instead, I’m going back to my Linux roots and pulling out some old favorites. Two of these commands are already included with macOS, but one isn’t. The commands my solution uses are tar, gzip, and openssl. Tar and openssl are already installed, and gzip is available with Homebrew. If you don’t have Homebrew installed already, go follow my directions on installing it and then issue this command in the Terminal:

brew install gzip

Next, we’ll use Automator to create a new service to allow us to right-click the files or folders we want to encrypt. You can download my Automator workflow from its github repository, install it, and you’ll be good to go. To install the service, just unzip the file you downloaded from my github repository and double-click the workflow. Automator will prompt you to install the service.

Here’s how it works.

You select your files or folders, and then secondary (right) click to get the contextual menu. If you’ve installed the Automator workflow service, you’ll have an open in Services called Encrypt Files, or something similar. When you click it, your Mac takes the following actions.

The Automator Workflow Service in Action

First, it encapsulates all of the files and folders in what we call a tarball, or a tar archive. The name comes from the command’s original use of storing archives on magnetic tape. The name “tar” stands for tape archiver.

Next, your Mac uses gzip to compress the tar archive file. This is the “z” in the command switches. You’ll end up with a file named Archive.tgz, at least briefly. Both of these two steps are done with a single command in the bash script you’ll see in Automator:

/usr/bin/tar -czHf "$Tarfile" "${@##*/}"

There’s a bunch of parameter, variable, and other Terminal geekery in there, but that’s not important.

Once the archival and compression is done, the workflow uses openssl to password-protect your files. John Martellaro wrote an excellent piece on how great it is that we have openssl available to strongly encrypt our files, and it doesn’t cost a dime. What openssl does that zip fails to do is utilize not just the bare minimum of AES encryption, but the full AES–256 standard. That’s what we’re using here. The command used for this is run from AppleScript:

openssl aes–256-cbc -salt -in " & currentArchiveName & " -out " & currentArchiveName & ".enc -k " & passwd

Decrypting and Expanding the File Later

When you’re ready to unearth those files you archived and protected, here’s what you need to do. Issue these two commands in Terminal, inputting your password when prompted.

openssel enc -d -aes–256-enc -in Archive.tgz.enc -out Archive.tgz
 tar -zxvf Archive.tgz

That will restore your files in hierarchical directory order, but I’m not finished talking to you yet.

Please, Please Choose a Strong Password

As great as AES–256 encryption is, it’s not worth a thing if you use a poor password. According to my sources, someone with a 25-GPU cluster computer setup can guess 350 billion passwords per second. In layman’s terms, this is what that means as far as brute-forcing the encryption on your file.

  • An eight-character lowercase password will fail in 0.6 seconds
  • Mix and match upper and lower case letters in an eight-character password, and it’ll take 2.5 minutes to be cracked.
  • If you add two more characters, all lower case, you’ll buy yourself a little bit more time. It would take that 25-GPU cluster seven minutes to crack it.
  • An eight-character password with upper case, lower case, and numeric characters can crack in 10 minutes.
  • A 10-character password with just upper and lower case letters would take 111 minutes to crack.
  • Add some numeric digits to that 10-character upper/lower case password, and it’ll take the cluster 28 days to crack.
  • If you use a 10-character password consisting of upper case letters, lower case letters, numbers, and symbols, the cluster would need 5.5 years to crack it.

The moral of the story here is that the more complex you make your password, the harder it will be to crack. If you’re going to bother to password-protect your files, do it the right way.

5 Comments Add a comment

  1. whisper

    Does Apple’s weak encryption also apply to disk images created with Disk Utility? That says that it is using AES 128 or 256

    • Jeff Butts

      As far as I can tell, it’s just zip. If Disk Utility says AES-128 or AES-256, you’re in pretty good shape.

  2. Jamie

    I second the zip conclusion, seems that way to me as well. Gotta say again, thanks Jeff. Your technical articles are terrific, and thanks TMO for bringing Jeff on board. Melissa is great, too, and I really appreciate and enjoy these pieces. 🙂

  3. ipaqrat

    Very nice article with sound, approachable technique. But where zipping is concerned, note that Corel’s WinZip for Mac is at version 6+. It’s early App Store reviews are spotty, and its not cheap. But it does permit setting its default encryption method to AES 128 or 256 (or crappy WinZip 2.0). So far, it has worked well for me. Password-wise, my policy for my teams is a passphrase 15+ characters, trying to work in upper/lower/number/special. Passwords for the zips are never mailed; rather they are accessed from a database that requires multi-factor authentication. Machines all have data-at-rest data encryption. All removable media must be encrypted or files cannot be written. Blah, blah… All precautions possibly meaningless once quantum computers are in play. Good times.

  4. wasabi

    Hey Jeff!
    Thanks for this article! I tried running this but got an AppleScript error.

    Syntax Error
    /PATH//PATH/Testfile.xlsx-2.tgz: No such file or directory
    1473:error:02001002:system library:fopen:No such file or directory:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.50.6/src/crypto/bio/bss_file.c:356:fopen(‘/PATH//PATH/Testfile.xlsx-2.tgz’,’r’)
    1473:error:20074002:BIO routines:FILE_CTRL:system lib:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.50.6/src/crypto/bio/bss_file.c:358:

    This is the line:
    do shell script “openssl aes-256-cbc -salt -in ” & currentArchiveName & ” -out ” & currentArchiveName & “.enc -k ” & passwd

    I think it might be an encoding issue. Can you help, please?
    I have English installed as my Primary language.

    Chris

Add a Comment

Log in to comment (TMO, Twitter, Facebook) or Register for a TMO Account