A secure, lightweight PowerShell-based encryption solution for protecting sensitive directories using 7-Zip's AES-256 encryption with filename obfuscation.
- π‘οΈ Military-Grade Encryption: AES-256 encryption with password-protected archives
- ποΈ Filename Obfuscation: Directory structure and filenames are encrypted (
-mhe=on) - π Bidirectional Operation: Seamlessly encrypt folders to archives and decrypt back
- π Admin Elevation: Automatic administrator rights request when needed
- π― Smart Detection: Automatically detects whether to encrypt or decrypt based on file presence
- π§Ή Clean Workflow: Auto-cleanup of source files after successful operations
- π Stealth Mode: Archives are marked as hidden+system files
- β Integrity Validation: Verifies archive creation and file sizes
- Windows with PowerShell 5.1+
- 7-Zip installed and available in PATH (
7z.exeor7za.exe)- Download from: 7-zip.org
- Clone or download this repository
- Ensure 7-Zip is installed and accessible via PATH
- Run
run_ps1_as_admin.cmdto execute the script with administrator privileges
- Place your sensitive files in a folder named
Privatein the same directory as the script - Run
run_ps1_as_admin.cmd - Enter your encryption password (twice for confirmation)
- The script will:
- Create
Private.7z(encrypted, hidden archive) - Delete the original
Privatefolder - Mark the archive as hidden+system
- Create
- Run
run_ps1_as_admin.cmdwhenPrivate.7zexists - Enter your decryption password
- The script will:
- Extract the archive to restore the
Privatefolder - Delete the archive file
- Leave your files accessible
- Extract the archive to restore the
- Algorithm: AES-256
- Compression: User-selectable (1/5/9, default: 5)
1= Fast (minimal compression, fastest)5= Normal (recommended - good balance)9= Maximum (best compression, slowest)
- Header Encryption: Enabled (filenames encrypted)
- File Attributes: Hidden + System flags applied to archive
- SecureString: Passwords handled via PowerShell's
SecureStringAPI - Memory Protection: Immediate cleanup of plaintext passwords from memory
- Mandatory Confirmation: Double password entry required for encryption
- Strict Mode: PowerShell strict mode enabled to catch errors early
Encryption Flow:
Private/ (folder) β Private.7z (hidden archive) β Private/ (deleted)
Decryption Flow:
Private.7z (archive) β Private/ (folder) β Private.7z (deleted)
.
βββ run_ps1_as_admin.cmd # Launcher with admin elevation
βββ script.ps1 # Main encryption/decryption logic
βββ Private/ # Your sensitive folder (when decrypted)
βββ Private.7z # Encrypted archive (when encrypted, hidden)
If 7-Zip is not in your PATH, modify the Find-7Zip function in script.ps1:
function Find-7Zip {
# Add custom path
$customPath = "C:\Program Files\7-Zip\7z.exe"
if (Test-Path $customPath) { return $customPath }
# Fallback to PATH search
$exe = Get-Command 7z.exe -ErrorAction SilentlyContinue
if ($exe) { return $exe.Source }
return $null
}The script prompts you to choose a compression level during encryption:
- Level 1 (Fast): Minimal compression, very fast (~2-5 seconds for typical folders)
- Level 5 (Normal): Default - balanced compression (~5-10 seconds)
- Level 9 (Maximum): Best compression, slow (~20-60 seconds)
Recommendation: Use level 5 for regular use. Level 9 provides only 5-15% better compression but takes 5-10x longer.
To skip the prompt and always use a specific level, modify script.ps1:
# Remove the user prompt section and set directly:
$compressionLevel = 5 # Your preferred level- Use strong, unique passwords (20+ characters recommended)
- Store passwords in a password manager
- Keep the encrypted archive in a backed-up location
- Test decryption immediately after encryption
- Password strength is critical - weak passwords can be brute-forced
- Archive file can be copied or stolen (relies on password security)
- No protection against keyloggers or memory dumps during password entry
- Deletion is standard (not secure wipe) - sensitive data may be recoverable
For maximum security, consider:
- Secure deletion: Use
sdeleteor similar tools to wipe the original folder - Two-factor encryption: Create nested archives with different passwords
- Physical security: Store archives on encrypted drives (BitLocker, VeraCrypt)
- Install 7-Zip or add its installation directory to your system PATH
- Verify with:
7z --helpin PowerShell
- Check available disk space
- Ensure you have write permissions in the directory
- Verify the
Privatefolder exists and contains files
- Password is case-sensitive
- Check for keyboard layout issues (Caps Lock, Num Lock)
- Ensure archive file is not corrupted
- Files may be in use by another program
- Close File Explorer windows showing the directory
- Run the script again to retry cleanup
This project is provided as-is for personal and educational use. Modify and distribute freely.
Contributions, issues, and feature requests are welcome! Feel free to check the issues page.
- Encryption: Speed depends on folder size and CPU (typically 10-50 MB/s)
- Decryption: Generally faster than encryption (20-100 MB/s)
- Memory: Minimal footprint, suitable for folders up to several GB
- β Removed redundant admin elevation
- β Made password confirmation mandatory
- β Added archive integrity validation
- β Improved error visibility (7-Zip output now displayed)
- β Enhanced UTF-8 encoding support
- β Better error messages and cleanup handling
- β User-selectable compression level (default: 5 for speed)
- Initial release with basic encrypt/decrypt functionality
Made with π for privacy-conscious users