openssl enc -d -aes-256-cbc -in final_backup.tar.gz.enc | tar xzv
This decrypts and extracts in one go.
Encryption protects contents, not metadata. An attacker can still see backup.tar.gz.enc exists, along with its file size and timestamps. If file size is sensitive, you can pad the archive with dummy data (advanced).
There is no "forgot password" feature. If you lose the key to an AES-256 encrypted file, even the NSA cannot recover it. Store your password in a password manager (e.g., Bitwarden, KeePass).
To encrypt an existing .tar.gz with a password: password protect tar.gz file
gpg --symmetric --cipher-algo AES256 myfiles.tar.gz
This creates myfiles.tar.gz.gpg. You will be prompted for a password.
To get back your original .tar.gz:
openssl enc -d -aes-256-cbc -in myfiles.tar.gz.enc -out myfiles_decrypted.tar.gz
Then extract normally:
tar -xzvf myfiles_decrypted.tar.gz
The classic zip command can encrypt archives, but it uses PKZIP encryption (weak) unless you specify AES. Recent versions support AES, but it's not universal.
To create an encrypted zip (with traditional, weaker encryption):
zip --password mypassword -r archive.zip myfolder/
Warning: Default zip encryption is easily broken. Only use if compatibility with old systems is required and data is not highly sensitive. For AES, use 7z or gpg. openssl enc -d -aes-256-cbc -in final_backup
Best for: Sharing files with Windows or macOS users who aren't comfortable with the command line.
Here’s a little secret: A tar.gz file is not the only archiving format. The .zip format has supported password-based AES encryption for years. While you lose some of the Unix-specific perks of tar (like preserving exact ownership and symlinks), the zip command can directly compress and encrypt a folder.