How to detect a zip's encryption method online for free
- Step 1Open the detector — Go to /archive-tools/encrypted-archive-detector. No account is needed for the free tier. The page runs entirely client-side once loaded.
- Step 2Drop the ZIP — Drag the
.zipinto the dropzone (or click to pick it). This tool reads one ZIP at a time and takes no other input — there is no password box, because it never needs to decrypt anything. - Step 3Confirm it's a ZIP — The detector parses the ZIP central directory via the End-of-Central-Directory record. If the file is a
.7z,.rar,.tar.gz, or a renamed non-ZIP, it throwsNot a valid ZIP archive.— run auto-format-detector first to confirm the real format. - Step 4Run the detection — Click Process. For each central-directory entry the tool checks flag bit 0 for encryption, then scans the extra field for
0x9901and reads the AES strength byte (1 = AES-128, 2 = AES-192, 3 = AES-256). An encrypted entry with no AES field is reported as ZipCrypto. - Step 5Read the report — The result panel shows the metrics (AES-256, AES-192, AES-128, ZipCrypto, Plain counts) and a Download button. The downloaded JSON has
filename,totalEntries, anencryptionSummaryobject, and anentriesarray of{ name, encrypted, method }. - Step 6Act on the verdict — If any entry shows ZipCrypto, re-encrypt the archive with AES-256 using encrypted-zip-creator before sharing. To verify a candidate password against an encrypted entry, use archive-password-tester.
What the detector reports for each entry
Every value comes from the ZIP central-directory record — readable without the password. method is the per-entry verdict; the summary tallies them.
| Detected value | How it's identified | Security verdict |
|---|---|---|
| Unencrypted | General-purpose flag bit 0 is 0 — entry not encrypted at all | No protection; anyone with the file reads the content |
| ZipCrypto (legacy) | Flag bit 0 is 1 and no 0x9901 AES extra field is present | Broken — known-plaintext attack recovers the password in seconds. Re-encrypt with AES-256 |
| AES-128 | Flag bit 0 is 1, 0x9901 extra field present, strength byte = 1 | Strong; AE-2 (WinZip). Fine for most use; AES-256 is the modern default |
| AES-192 | Flag bit 0 is 1, 0x9901 extra field present, strength byte = 2 | Strong; rarely seen in practice |
| AES-256 | Flag bit 0 is 1, 0x9901 extra field present, strength byte = 3 | Currently uncrackable with a strong password — the recommended scheme |
Input limits by tier (archive family)
Free tier blocks files over its size cap before processing. The detector reads the whole file into memory, so the entry-count headroom is the practical ceiling for huge archives.
| Tier | Max file size | Max entries / archive | Files per job |
|---|---|---|---|
| Free | 50 MB | 500 | 1 |
| Pro | 500 MB | 50,000 | 20 |
| Pro + Media | 2 GB | 500,000 | 100 |
| Developer | 2 GB | 500,000 | unlimited |
| Enterprise | unlimited | unlimited | unlimited |
Cookbook
Real ZIP reports the detector produces. Filenames anonymised; the JSON shape is exactly what downloads.
A clean AES-256 archive
A ZIP created by a modern tool with AES-256. Every entry shows the 0x9901 field with strength byte 3. This is the report you want to see before sharing sensitive data.
Input: secrets.zip (3 entries, all AES-256)
Downloaded report (secrets-encryption.json):
{
"filename": "secrets.zip",
"totalEntries": 3,
"encryptionSummary": {
"AES-256": 3, "AES-192": 0, "AES-128": 0,
"ZipCrypto (legacy)": 0, "Unencrypted": 0
},
"entries": [
{ "name": "q3-report.pdf", "encrypted": true, "method": "AES-256" },
{ "name": "payroll.xlsx", "encrypted": true, "method": "AES-256" },
{ "name": "notes.txt", "encrypted": true, "method": "AES-256" }
]
}Legacy ZipCrypto — re-encrypt before sharing
A ZIP from an older utility (or a default 'add password' in some tools) uses ZipCrypto. The encrypted bit is set but there is no AES extra field, so the verdict is ZipCrypto. Treat this as effectively unprotected.
Input: vendor-export.zip (2 entries)
Report:
{
"filename": "vendor-export.zip",
"totalEntries": 2,
"encryptionSummary": {
"AES-256": 0, "AES-192": 0, "AES-128": 0,
"ZipCrypto (legacy)": 2, "Unencrypted": 0
},
"entries": [
{ "name": "db.sql", "encrypted": true, "method": "ZipCrypto" },
{ "name": "keys.pem", "encrypted": true, "method": "ZipCrypto" }
]
}
Next: re-encrypt with AES-256 via /archive-tools/encrypted-zip-creatorMixed encryption — a red flag
An archive where one entry is AES-256 and another is still ZipCrypto. This usually means a re-encryption job was interrupted, or files were appended from different tools. The per-entry array surfaces exactly which file is weak.
Report:
{
"totalEntries": 3,
"encryptionSummary": {
"AES-256": 2, "AES-192": 0, "AES-128": 0,
"ZipCrypto (legacy)": 1, "Unencrypted": 0
},
"entries": [
{ "name": "a.txt", "encrypted": true, "method": "AES-256" },
{ "name": "b.txt", "encrypted": true, "method": "AES-256" },
{ "name": "c.txt", "encrypted": true, "method": "ZipCrypto" }
]
}
c.txt is the weak link — re-encrypt the whole archive.Partially encrypted archive
Some ZIP tools let you encrypt only selected entries. The detector reports each entry independently, so you immediately see which files are protected and which are in the clear.
Report:
{
"totalEntries": 4,
"encryptionSummary": {
"AES-256": 1, "AES-192": 0, "AES-128": 0,
"ZipCrypto (legacy)": 0, "Unencrypted": 3
},
"entries": [
{ "name": "readme.txt", "encrypted": false, "method": "None" },
{ "name": "license.txt", "encrypted": false, "method": "None" },
{ "name": "logo.png", "encrypted": false, "method": "None" },
{ "name": "private.key", "encrypted": true, "method": "AES-256" }
]
}Piping the JSON into a shell check
The report is plain JSON, so you can download it and gate a workflow on it. Here, jq fails the step if any entry is ZipCrypto — handy when you can't yet automate the detector itself (archive tools run in-browser; there is no server API).
# After downloading vendor-export-encryption.json
jq -e '.encryptionSummary["ZipCrypto (legacy)"] == 0' \
vendor-export-encryption.json \
|| { echo 'FAIL: ZipCrypto entries present'; exit 1; }
# Output when ZipCrypto is found:
false
FAIL: ZipCrypto entries presentEdge cases and what actually happens
File is a 7z / RAR / TAR.GZ, not a ZIP
Not a valid ZIP archiveThis detector parses the ZIP central directory only — it does not read 7z, RAR, or TAR.GZ. If the file has no End-of-Central-Directory record, it throws Not a valid ZIP archive. regardless of the file extension. Run auto-format-detector to confirm the real format. 7z and RAR encryption can't be classified by this tool because they don't use the ZIP flag/extra-field scheme.
Renamed file (a .rar saved as .zip)
Not a valid ZIP archiveDetection is by structure, not extension. A .rar renamed to .zip still has no ZIP EOCD record, so the tool throws Not a valid ZIP archive. Confirm the true container with auto-format-detector; only then can encryption be classified.
Mixed encryption methods in one ZIP
By designDifferent entries can legitimately use different schemes. The detector reports each entry's method independently and the encryptionSummary tallies them, so a ZIP with both AES-256 and ZipCrypto entries shows non-zero counts in two buckets. This is a strong signal of an unfinished re-encryption or appended files — treat the weakest entry as the archive's effective strength.
Partially encrypted archive (some entries plain)
SupportedSome tools encrypt only selected files. The detector marks unencrypted entries with encrypted: false and method: None, counting them under Unencrypted. Any plaintext entry in a 'secure' archive is a leak — review the per-entry array.
File exceeds your tier's size limit
Tier limit exceededThe client checks file size before processing and throws File "<name>" exceeds the <tier> tier per-job limit (<size>). Upgrade for larger files. Free caps at 50 MB, Pro at 500 MB, Pro+Media and Developer at 2 GB. The whole file is read into memory to scan the central directory, so very large archives also stress browser RAM.
Archive with thousands of entries
Entry limitFree tier allows up to 500 entries per archive; Pro raises it to 50,000 and Pro+Media/Developer to 500,000. A ZIP near the upper bound is parsed entry-by-entry from the central directory, so the report can be long but each entry is classified correctly.
Empty ZIP (zero entries)
ExpectedA valid but empty ZIP has an EOCD record with zero central-directory entries. The tool returns totalEntries: 0, an all-zero encryptionSummary, and an empty entries array — no error, just nothing to classify.
Truncated or corrupt central directory
PartialThe parser walks entries while the central-directory signature 0x02014b50 matches and the offset stays within bounds; it stops at the first mismatch. A truncated ZIP may therefore report fewer entries than it claims. If you suspect damage, run corrupted-zip-repair to assess and recover what's salvageable.
You expected a password prompt
By designThere is no password field. Encryption type lives in plaintext metadata (flag bit 0 and the 0x9901 extra field), so the tool never decrypts and never needs a password. To check whether a specific password is correct, use archive-password-tester instead.
Non-standard AES strength byte
Reported as ZipCryptoIf an encrypted entry's 0x9901 field is missing or the strength byte isn't 1, 2, or 3, the entry stays classified as ZipCrypto (the default for any encrypted-but-not-AES entry). This is rare and usually indicates a non-conforming writer; verify with archive-metadata-extractor.
Frequently asked questions
Does the detector upload my ZIP anywhere?
No. The file is read with file.arrayBuffer() inside your browser tab and parsed in JavaScript. Nothing about the archive — bytes, filenames, or the report — is sent to a server. Open DevTools → Network during a run and you'll see no outbound request carrying the file.
Do I need the password to detect the encryption type?
No. The encryption type is stored in plaintext central-directory metadata: the general-purpose flag bit 0 marks an entry as encrypted, and the WinZip AES extra field (0x9901) records the AES strength. The tool reads these without touching the ciphertext, so detection is 100% reliable with no password.
Which formats can it analyse — does it support 7z or RAR?
ZIP only. The detector parses the ZIP central directory; 7z, RAR, and TAR.GZ use entirely different container layouts and aren't read by this tool. If you drop a non-ZIP, it throws Not a valid ZIP archive. Run /archive-tools/auto-format-detector first to confirm the format.
How does it tell ZipCrypto from AES?
An entry with flag bit 0 set is encrypted. The tool then scans that entry's extra field for ID 0x9901. If present, the strength byte (1/2/3) maps to AES-128/192/256. If the entry is encrypted but has no 0x9901 field, it's classified as legacy ZipCrypto.
Why does it matter whether a ZIP uses ZipCrypto or AES?
ZipCrypto has a published known-plaintext attack: with ~12 known plaintext bytes (often guessable from file headers), the password is recoverable in seconds. AES-256 has no such weakness. A ZIP labelled 'password protected' with ZipCrypto is effectively unprotected for sensitive data — re-encrypt it with AES-256.
What's the maximum file size and entry count?
Free: 50 MB and 500 entries per archive. Pro: 500 MB and 50,000 entries. Pro+Media: 2 GB and 500,000 entries. Developer: 2 GB and 500,000 entries. Enterprise: unlimited. The size cap is enforced before processing; oversized files throw a tier-limit error.
What does the output look like?
A JSON file named <archive-name>-encryption.json containing filename, totalEntries, an encryptionSummary object (counts for AES-256, AES-192, AES-128, ZipCrypto (legacy), and Unencrypted), and an entries array where each item is { name, encrypted, method }.
Can one ZIP contain more than one encryption method?
Yes. Each entry is classified independently, so an archive can mix AES-256 and ZipCrypto entries (or have some entries unencrypted). The summary will show non-zero counts in multiple buckets — a reliable sign of an interrupted re-encryption or files appended from different tools.
I got 'Not a valid ZIP archive' but it opens fine in 7-Zip — why?
7-Zip opens many containers (7z, RAR, TAR, GZIP, ISO). This detector only understands the ZIP central-directory format. If 7-Zip opens it but this tool rejects it, the file isn't a true ZIP. Confirm with /archive-tools/auto-format-detector.
Is there an API or CLI for this?
Not for this tool — all archive tools run in the browser/runner, with no server-side endpoint. The report is plain JSON, so a practical pattern is: run the detector, download the JSON, and gate your pipeline on it with jq (e.g. fail if the ZipCrypto count isn't zero).
Does it work offline?
Yes, once the page has loaded. Detection is pure client-side ZIP parsing with no network dependency, so you can run it on an air-gapped machine after the tab is open.
My ZIP shows AES-256 — does that mean my password is strong?
No. The detector verifies the encryption algorithm, not the password's strength. AES-256 with a weak password is still brute-forceable. Choose a long, high-entropy password and store it in a manager — and use /archive-tools/archive-password-tester only to confirm a known candidate, never to guess.
Privacy first
Every JAD Archive tool runs entirely in your browser using fflate, @zip.js/zip.js, and the libarchive WASM bridge. Your archives never leave your device — verified by zero outbound network requests during processing.