Skip to content
Latchkey

zip -e and -P: Password-Protect an Archive

zip -e encrypts an archive with a password you are prompted for; zip -P supplies the password on the command line.

The classic Info-ZIP encryption (ZipCrypto) is weak, but it is sometimes required for interop. In CI, -e prompting will hang, so -P or a piped password is used with care.

What it does

zip -e adds the file with traditional PKWARE/ZipCrypto encryption, prompting twice for the password. zip -P <password> takes the password directly without prompting. The encryption is the legacy ZipCrypto scheme, which is considered weak and is not AES.

Common usage

Terminal
# interactive: prompts for the password (do not use in CI, it hangs)
zip -e -r secret.zip dist
# non-interactive: password on the command line
zip -P "$ZIP_PASSWORD" -r secret.zip dist

Options

FlagWhat it does
-eEncrypt, prompting for the password
-P <password>Use the given password without prompting
-rRecurse into directories
-qQuiet output

In CI

Never use bare -e in a pipeline: it waits on a TTY for the password and hangs the job. Use -P from an environment variable, but be aware -P exposes the password in the process list and shell history. The Info-ZIP ZipCrypto cipher is weak; for real confidentiality prefer encrypting with a strong tool (gpg or openssl enc with AES) rather than zip passwords.

Common errors in CI

A job that appears to stall on the packaging step is usually a bare -e waiting for the interactive password prompt; switch to -P. "zip warning: incorrect password" appears on the unzip side when the password does not match. Note many platform unzip tools cannot open ZipCrypto archives, so a partner who cannot extract may simply lack ZipCrypto support.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →