Skip to main content

Zip Security Options

The ZIP security options page lets you determine how you use encryption and digital signing with archived data based on strong public-key encryption separate from the OpenPGP model.

Note: Some options described here may be disabled by PK Protect Policy. Contact your PK Protect Policy Administrator for more information.

Encryption Options

Check the Encrypt files box to encrypt every file added to a ZIP archive. Click Advanced to review and select Advanced Encryption Options.

You can choose to encrypt the names of files and folders in a ZIP archive by setting Encrypt File Names.

Specify an Encryption Algorithm

When encrypting files, you need to identify a procedure (or algorithm) for converting the content of a file into gibberish that can then be converted back into human-readable content. Select an algorithm from the Algorithm drop-down menu.

For the strong encryption methods, PK Protect offers the algorithms shown in the following table. Different key lengths are supported for the AES (Advanced Encryption Standard) algorithm. In general, the longer the key, the stronger the encryption. Encryption also takes slightly longer in proportion to the length of the key.




The standard algorithm adopted by the U.S. federal government and in increasingly widespread use in banking and credit card operations.


"Triple DES" is a stronger, updated variant of the older DES algorithm.

Note: PK Protect can decrypt files that were encrypted with the older, less commonly used algorithms RC2, RC4, and DES, but PK Protect does not use these algorithms for encryption.

Enable Smartkey Encryption

If you are in an enterprise using PK Protect to secure data, you'll find that Smartkeys replace both passphrase- and certificate-based encryption, and makes PK Protect unique. A Smartkey is a collection of encryption keys tied to an access control list (ACL). The ACL defines who can decrypt the data contained in an archive.

Check Enable Smartkey encryption to turn on Smartkeys. Use the drop-down menu to define a default Smartkey for encryption. Click Manage Smartkeys to add and remove Smartkeys to your installation.

Note: Smartkeys generate a passphrase to allow a Smartkey owner to  share this Smartkey-encrypted archive with someone outside your organization. The owner can copy the generated passphrase to the Clipboard by right-clicking the archive and selecting Copy Smartkey from the menu (see Zip and UnZip from Windows Explorer). This passphrase can now be shared with anyone, allowing them to open the encrypted file. This passphrase is only generated if your archive contains a single file.

If you enable passphrase encryption, you can define the passphrase yourself.

Enable Certificate Encryption

Check this box to use X.509 digital certificates to encrypt ZIP archives. Only recipients you designate when you encrypt and add files to the archive can extract the files. Files are encrypted using the algorithm specified in the Algorithm drop-down menu.

Use the drop-down menu to select a default certificate from a list of available certificates. Always choose a valid certificate (with a green check icon) from this list.

Enable Passphrase Encryption

Check this box to use strong passphrase-based encryption. Passphrases can include spaces and other non-alphanumeric characters. Files are encrypted using the algorithm specified in the Algorithm drop-down menu.

When you use both a passphrase and a certificate/recipient list, files in the archive can be decrypted by anyone who either has the passphrase or is on the recipient list. Recipients on the list do not need to enter the passphrase to decrypt, but you can distribute the archive to people who are not on the recipient list too. They can use the passphrase to decrypt.

Signing Options

A digital signature is an unforgeable mechanism that ensures that the file to which it is attached originates from the owner of the signature and is unchanged since it was signed. Check Sign files to include a digital signature with every ZIP archive.

Hashing Algorithm for Digital Signatures

The hashing algorithm creates a hash value for the file to be signed.

The hash value uniquely represents the file: any change to the file gives it a different hash value. Comparing the hash value of the file when it was signed with the file's current hash value reveals whether the file has been changed.

The default algorithm is SHA-512.  

The strength of an algorithm is relative to the size of the resulting hash value. SHA-1 produces a 160-bit hash, a slightly longer hash value that may be more secure than that produced by the MD5 algorithm. Other SHA algorithms that may be available, depending on your operating system, produce hash values of the size indicated in their names. For example, SHA-256 produces a 256-bit hash. You must use SHA-256 or stronger to comply with FIPS, a US federal government security standard.

ZIP files created using a SHA algorithm other than SHA-1 will be incompatible with older versions of ZIP programs that do not support these newer algorithms.

Selecting a Default Signing Certificate

Regardless of whether you chose to enable encryption with certificates, when you check the Sign files box, you must then choose a default certificate to sign the files.

Use the drop-down menu to select a default certificate. Always choose a valid certificate (with a green check icon) from this list.

Viewing Certificates in ZIP Options

Click View Certificates under Enable certificate encryption to display the Personal encryption certificates dialog.

This dialog has all the features and buttons included on the View Information About a Certificate screen, along with the Strict Checking Options, Backup utility and revocation checks.

Click View Certificates under Sign files to display the Personal signing certificates dialog.

This dialog has all the features and buttons included on the View Information About a Certificate screen, along with the Strict Checking Options and the Backup utility.

Checking Revocation Status

Check the Check revocation status box to check whether certificates to use to encrypt for recipients have been revoked.

This option causes PK Protect to warn if any certificates you have selected to use to encrypt for recipients appears on an accessible list of certificates that have been revoked. If strict checking is also turned on, PK Protect does not use a revoked certificate.

You must first download a list of revoked certificates from a certificate authority to use this option. See here for information on using a certificate revocation list.

Note: You can also check online for revoked certificates with Perform online revocation checks on the General Security Options page.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.