Windows 11 includes a built-in tool for creating compressed ZIP folders. However, the standard ZIP encryption method used by Windows is weak. It relies on the older ZipCrypto algorithm, which is not secure against modern attacks. This article explains how to force AES-256 encryption for ZIP files on Windows 11 using third-party tools.
Key Takeaways: Force AES-256 Encryption for ZIP Files
- 7-Zip: Free, open-source tool that creates ZIP files with AES-256 encryption. Use it to replace the weak ZipCrypto method.
- WinRAR: Commercial tool that supports AES-256 for ZIP format. Offers a 40-day trial with full functionality.
- Command line with 7-Zip: Use the command
7z a -tzip -p -mem=AES256 archive.zip filesto encrypt with AES-256 without a GUI.
Why AES-256 Is Needed for ZIP Files on Windows 11
The built-in ZIP encryption in Windows 11 uses ZipCrypto. ZipCrypto is a stream cipher with known weaknesses. An attacker can recover the password from an encrypted ZIP file using a known-plaintext attack or a brute-force attack that takes minutes. AES-256 is a symmetric encryption standard approved by the U.S. National Security Agency for top-secret data. It uses a 256-bit key and is resistant to all known practical attacks. Windows 11 does not natively support AES-256 for ZIP encryption. To use it, you must install a third-party compression tool.
How AES-256 Differs from ZipCrypto
ZipCrypto uses a 32-bit CRC check for password verification. This CRC can be brute-forced quickly. AES-256 uses a 256-bit key derived from the password via a key derivation function. The encryption itself is based on the Rijndael cipher with 14 rounds. ZIP files encrypted with AES-256 are marked with extra data fields that identify the encryption method. WinZip, 7-Zip, and WinRAR all recognize these fields. The PKWARE ZIP specification added AES-256 support in version 6.3.2. Windows Explorer does not read these fields, so it cannot open AES-256 encrypted ZIP files.
Steps to Force AES-256 Encryption Using 7-Zip
7-Zip is free and open source. It supports AES-256 for both 7z and ZIP formats. Follow these steps to create a ZIP file with AES-256 encryption.
- Download and install 7-Zip
Go to 7-zip.org and download the version for your Windows 11 edition 64-bit. Run the installer and accept the default settings. - Select the files to compress
Open File Explorer and navigate to the folder containing the files you want to encrypt. Select the files or folders. Right-click on the selection. - Open the 7-Zip add-to-archive dialog
From the context menu, choose 7-Zip and then Add to archive. The 7-Zip archive dialog opens. - Set the archive format to ZIP
In the Archive format dropdown, select zip. The default is 7z. - Enable AES-256 encryption
In the Encryption section, find the Encryption method dropdown. Select AES-256. Do not select ZipCrypto. - Enter a strong password
Type a password in the Enter password box. Retype it in the Reenter password box. Use a password of at least 12 characters with a mix of uppercase, lowercase, numbers, and symbols. - Create the encrypted ZIP file
Click OK. 7-Zip creates the ZIP file with AES-256 encryption in the same folder as the source files.
Verify the Encryption Method
To confirm AES-256 is active, open the ZIP file in 7-Zip. Select the file inside the archive and press Ctrl+Z. The Properties window shows the encryption method as AES-256. If you see ZipCrypto, you chose the wrong encryption method.
Steps to Force AES-256 Encryption Using WinRAR
WinRAR is a commercial tool that supports AES-256 for ZIP files. It offers a 40-day evaluation period with full features.
- Download and install WinRAR
Go to rarlab.com and download WinRAR for Windows 11. Run the installer. - Select files and open the archive dialog
Select the files in File Explorer. Right-click and choose Add to archive. The archive name and parameters window opens. - Set the archive format to ZIP
In the Archive format section, select ZIP. The default is RAR. - Set the encryption method to AES-256
Click the Advanced tab. Click the Set password button. In the dialog, enter your password. Check the box for Encrypt file names. In the Encryption method dropdown, select AES-256. Click OK. - Create the archive
Click OK in the main window. WinRAR creates the AES-256 encrypted ZIP file.
Common Issues When Using AES-256 ZIP Files on Windows 11
Windows 11 cannot open an AES-256 encrypted ZIP file
Windows Explorer does not support AES-256. Double-clicking the ZIP file opens it in File Explorer, which shows an error or a blank folder. To open the file, right-click and choose Open with 7-Zip or WinRAR. Enter the password in the tool. Do not use the built-in Windows extraction wizard.
Recipients cannot open the ZIP file
If you send an AES-256 ZIP file to someone, they must have a tool that supports AES-256. Free options include 7-Zip, PeaZip, and BreeZip. Mac users can use The Unarchiver or Keka. If the recipient uses Windows without any third-party tool, they cannot extract the file. Send them a link to download 7-Zip before sharing the ZIP file.
Password forgotten after encryption
AES-256 encryption is not reversible without the password. No password recovery tool can crack AES-256 in a reasonable time. Store the password in a password manager like Bitwarden or KeePass. Do not rely on memory for long passwords.
7-Zip AES-256 vs WinRAR AES-256: Key Differences
| Item | 7-Zip | WinRAR |
|---|---|---|
| Price | Free and open source | Commercial, 40-day trial |
| ZIP AES-256 support | Yes, via Encryption method dropdown | Yes, via Advanced tab > Set password |
| Filename encryption | Not available for ZIP format | Available via Encrypt file names checkbox |
| Command-line support | Full via 7z.exe | Full via rar.exe and winrar.exe |
| GUI language | English and 87 others | English and 47 others |
| Integration with Windows | Context menu entries | Context menu entries and shell extensions |
Both tools produce ZIP files that comply with the PKWARE specification. The encryption strength is identical. Choose 7-Zip for zero cost. Choose WinRAR if you need filename encryption in ZIP format.
Conclusion
You can now force AES-256 encryption for ZIP files on Windows 11 using 7-Zip or WinRAR. Both tools replace the weak ZipCrypto method with military-grade encryption. For batch operations, use the 7-Zip command line: 7z a -tzip -p -mem=AES256 backup.zip C:\Data\. Store your passwords in a password manager such as Bitwarden. Always verify the encryption method in the archive properties before sharing the file.