PZip is an encrypted file format (with optional compression), a command-line tool, and a Python file-like interface.
PZip is available on PyPI:
pip install pzip
For a full list of options, run pzip -h. Basic usage is summarized below:
pzip --key keyfile sensitive_data.csv
pzip --key keyfile sensitive_data.csv.pz
Piping and outputting to stdout is also supported:
tar cf - somedir | pzip -z --key keyfile -o somedir.pz
pzip --key keyfile -c somedir.pz | tar xf -
PZip will generate an encryption key automatically, if you want:
pzip -a sensitive_data.csv
encrypting with password: HgHs4OIm4zGXkch6lTBIqg
pzip -p HgHs4OIm4zGXkch6lTBIqg sensitive_data.csv.pz
import os, pzip
key = pzip.Key(os.urandom(32))
with pzip.open("myfile.pz", "wb", key=key) as f:
f.write(b"sensitive data")
with pzip.open("myfile.pz", "rb", key=key) as f:
print(f.read())
To encrypt using a password instead of a random key (and thus use PBKDF2 instead of HKDF for key derivation):
with pzip.open("myfile.pz", "wb", key=pzip.Password("secret")) as f:
f.write(b"hello world")
By default, PZip will append the total plaintext length to the end of the file, both as a final integrity check, and a way for applications to quickly get the original file size. However, you can disable this by passing append_length=False when opening a file/stream for writing:
with pzip.open(output_stream, "wb", key=secret, append_length=False) as f:
f.write(plaintext)
See the Encryption docs for more information.
See the File Format docs for more information.
Why does this exist?
Nothing PZip does couldn't be done by chaining together existing tools - compressing with gzip, deriving a key and encrypting with openssl, generating a MAC (if not using GCM), etc. But at that point, you're probably writing a script to automate the process, tacking on bits of data here and there (or writing multiple files). PZip simply wraps that in a nice package and documents a file format. Plus having a Python interface you can pretty much treat as a file is super nice.
Why not store filename?
Storing the original filename has a number of security implications, both technical and otherwise. At a technical level, PZip would need to ensure safe filename handling across all platforms with regards to path delimiters, encodings, etc. Additionally, PZip was designed for a system where user-generated file attachments may contain sensitive information in the filenames themselves. In reality, having a stored filename is of minimal use anyway, since the default behavior is to append and remove a .pz suffix when encrypting/decrypting. If a .pz file was renamed, you would have a conflict that would likely be resolved by using the actual filename (not the stored filename) anyway. With all of that said, PZip does specify a FILENAME tag for applications that wish to store it.
FAQs
Crytographically secure file compression.
We found that pzip demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Elastic’s return to open source with the AGPL license has been met with skepticism, as many developers see it as a strategic move rather than a genuine effort to restore user trust and freedoms.
Security News
A new "revival hijack" supply chain attack targets deleted Python packages, with an estimated 22K packages at risk. Socket can detect and block hijacked packages that have added malicious code.
Product
We're introducing a new Analytics feature in the Socket dashboard so you can view changes in your organization's and repositories' alerts over time.