zip -e and -P: Password-Protect an Archive
zip -e encrypts an archive with a password you are prompted for; zip -P supplies the password on the command line.
The classic Info-ZIP encryption (ZipCrypto) is weak, but it is sometimes required for interop. In CI, -e prompting will hang, so -P or a piped password is used with care.
What it does
zip -e adds the file with traditional PKWARE/ZipCrypto encryption, prompting twice for the password. zip -P <password> takes the password directly without prompting. The encryption is the legacy ZipCrypto scheme, which is considered weak and is not AES.
Common usage
# interactive: prompts for the password (do not use in CI, it hangs)
zip -e -r secret.zip dist
# non-interactive: password on the command line
zip -P "$ZIP_PASSWORD" -r secret.zip distOptions
| Flag | What it does |
|---|---|
| -e | Encrypt, prompting for the password |
| -P <password> | Use the given password without prompting |
| -r | Recurse into directories |
| -q | Quiet output |
In CI
Never use bare -e in a pipeline: it waits on a TTY for the password and hangs the job. Use -P from an environment variable, but be aware -P exposes the password in the process list and shell history. The Info-ZIP ZipCrypto cipher is weak; for real confidentiality prefer encrypting with a strong tool (gpg or openssl enc with AES) rather than zip passwords.
Common errors in CI
A job that appears to stall on the packaging step is usually a bare -e waiting for the interactive password prompt; switch to -P. "zip warning: incorrect password" appears on the unzip side when the password does not match. Note many platform unzip tools cannot open ZipCrypto archives, so a partner who cannot extract may simply lack ZipCrypto support.