Encryption2026-06-02

How to Encrypt a File With a Password

Encrypt a file with a password using AES-256 — in the browser, with OpenSSL, 7-Zip, or GPG. Plus why key derivation matters and how to avoid the weak-password trap.

encryptionaespasswordfile-securityopenssl

How to Encrypt a File With a Password

You need to email a tax document, store a credentials file, or hand off a database dump — and you want it locked so only someone with the password can open it. Password-based file encryption solves this, and you have several good options depending on whether you want zero installs, command-line control, or archive compatibility.

This guide covers four practical methods, all built on AES-256, plus the one detail that separates real protection from a false sense of security.

How Password Encryption Actually Works

You don't encrypt a file with a password directly. AES needs a fixed-length key (256 bits), not a human password. So every tool does two steps:

  1. Key derivation — stretch your password into a proper encryption key using a function like PBKDF2, scrypt, or Argon2, combined with a random salt.
  2. Encryption — use that derived key with AES-256 (typically in GCM or CBC mode) to encrypt the file.

The key-derivation step is what makes a weak password survivable: a good KDF runs hundreds of thousands of iterations, so brute-forcing each password guess is deliberately slow. A tool that skips proper key derivation (or uses a fast single hash) is far easier to crack. This is the same reason you use bcrypt/Argon2 for passwords rather than a plain hash.

Method 1 — In Your Browser (No Install)

The quickest option for a one-off file: the File Encrypt/Decrypt tool. Drop in a file, type a password, and it encrypts with AES-256 using the browser's native Web Crypto API and PBKDF2 key derivation. The file never leaves your device — all the cryptography runs locally in the page — so it's safe even for sensitive documents.

To decrypt, the recipient opens the same tool, selects the encrypted file, and enters the password. For short text rather than whole files, the AES Encrypt/Decrypt tool does the same thing for a pasted string.

Method 2 — OpenSSL (Command Line)

If you have OpenSSL installed (every Mac and Linux box does), this one-liner encrypts a file with AES-256:

# Encrypt
openssl enc -aes-256-cbc -salt -pbkdf2 -iter 600000 \
  -in secret.pdf -out secret.pdf.enc

# Decrypt
openssl enc -d -aes-256-cbc -pbkdf2 -iter 600000 \
  -in secret.pdf.enc -out secret.pdf

It'll prompt for the password. The flags matter:

  • -salt adds a random salt (default, but be explicit).
  • -pbkdf2 uses a real key-derivation function instead of the legacy weak one.
  • -iter 600000 sets the iteration count high enough to slow brute force.

Never omit -pbkdf2. Older OpenSSL defaults derived the key with a single MD5 pass — trivially crackable. Always include it.

Method 3 — 7-Zip (Encrypted Archive)

For something a non-technical recipient can open, an encrypted ZIP/7z archive is hard to beat — 7-Zip is free and uses AES-256:

# Encrypt into an AES-256 archive (prompts for password)
7z a -p -mhe=on secret.7z secret.pdf
  • -p prompts for a password.
  • -mhe=on encrypts the file names too, not just contents (7z format only).

The recipient just double-clicks and enters the password. Avoid the legacy "ZipCrypto" method some tools default to — it's broken; insist on AES-256.

Method 4 — GPG (Symmetric Mode)

GPG is usually associated with public keys, but it has a symmetric (password) mode that's excellent for files:

# Encrypt
gpg --symmetric --cipher-algo AES256 secret.pdf
# → produces secret.pdf.gpg

# Decrypt
gpg --decrypt secret.pdf.gpg > secret.pdf

GPG handles salt, key derivation, and integrity automatically, and the .gpg format is widely supported across platforms.

The Password Is the Weak Link

All four methods use the same unbreakable AES-256. The only realistic attack is guessing your password. A determined attacker with the encrypted file will run billions of guesses against it offline.

That means:

  • Use a long, random password. A 6-character password falls in seconds regardless of AES. Generate a strong one with the Password Generator — aim for 16+ characters or a 5–6 word passphrase.
  • Don't reuse a password you've used elsewhere; a leak from another site hands over your file.
  • Transmit the password out-of-band. Don't email the encrypted file and the password in the same thread. Send one by email and the other by text or a password manager share.

Verify Integrity

After encrypting and transferring a file, confirm it arrived intact by comparing checksums. Generate a SHA-256 hash of the file on both ends — if the hashes match, the file wasn't corrupted or tampered with in transit.

Quick Reference

  • AES-256 encrypts the file; a KDF (PBKDF2/scrypt/Argon2) + salt turns your password into the key.
  • Browser, no install: File Encrypt/Decrypt — runs locally, file never uploaded.
  • CLI: openssl enc -aes-256-cbc -pbkdf2 -iter 600000 (always include -pbkdf2).
  • Shareable archive: 7z a -p -mhe=on with AES-256, not ZipCrypto.
  • The password is the only weak point — use 16+ random characters from the Password Generator and send it out-of-band.

Related Tools

File Encrypt/Decrypt", slug: "file-encrypt-decrypt" }Password Generator", slug: "password-generator" }

Related Guides

Certificates

What Is an SSL/TLS Handshake? Step-by-Step

Certificates

How to Convert PFX to PEM (OpenSSL + Online)

Certificates

How to Create a Self-Signed Certificate with OpenSSL

← Back to Blog