How to browser aes-256 zip vs 7-zip / zip / winzip cli
- Step 1Match the cipher you actually want — To match JAD's output on the CLI you need AES-256-in-ZIP, e.g.
7z a -tzip -mem=AES256 -p out.zip files(7-Zip's ZIP AES) — NOTzip -e(ZipCrypto) and NOT7z a out.7z(a .7z container). JAD removes the guesswork by hardcoding AES-256. - Step 2Decide on privacy posture — Both paths are local — the CLI never leaves your box and JAD never uploads (
0 bytes uploaded). The difference is install surface: JAD needs only a browser, the CLI needs a vetted binary and sometimes root to install it. - Step 3Estimate the size — For inputs comfortably under the tier ceiling (Pro 500 MB, Pro+Media/Developer 2 GB per file), the browser tool is fine. For multi-GB streaming archives the CLI's constant-memory streaming wins — zip.js buffers the result as a Blob.
- Step 4Decide if it must be scripted — CI jobs, cron, thousands of archives → CLI. One-off, ad-hoc, or 'I don't want to install anything' → JAD. Programmatic JAD access via the runner exists for paid tiers but the page itself is interactive.
- Step 5Run JAD when you pick the browser path — Open /archive-tools/encrypted-zip-creator (Pro tier), drop your files, enter a 12+ character password, click Generate, download
encrypted.zip. - Step 6Verify interoperability either way — Open the JAD output in 7-Zip/Keka, or run archive-password-tester to confirm the AES entries decrypt — proving the archive is standard, not a JAD-specific format.
Cipher and format matrix
What each tool produces by default. JAD's behaviour is from createEncryptedZip (encryptionStrength: 3). CLI behaviour is the common default per tool.
| Tool | Default cipher | Container | Notes |
|---|---|---|---|
| JAD Encrypted ZIP Creator | AES-256 (WinZip AE-2, 0x9901) — hardcoded | .zip → encrypted.zip | No way to downgrade; filenames visible, contents encrypted |
zip -e / zip -P (Info-ZIP) | ZipCrypto (broken) | .zip | GNU zip cannot do AES; the password is recoverable in seconds |
7z a out.7z -p | AES-256 | .7z (not ZIP) | -mhe=on also encrypts the filename header; different container |
7z a -tzip -mem=AES256 -p | AES-256 (AE-2) | .zip | Closest match to JAD; depends on a recent p7zip/7-Zip build |
| WinZip (GUI/CLI) | AES-256 | .zip | Paid Windows software; same AE-2 format JAD writes |
When to use which
Decision guide. The browser tool is a Pro-tier convenience; the CLI is the scaling/automation path.
| Situation | Better choice | Why |
|---|---|---|
| Locked-down laptop, no install rights | JAD | Needs only a browser; no apt/brew/sudo, no licence |
| One-off encrypted file for a colleague | JAD | Faster than remembering the right 7z flags; AES guaranteed |
| Multi-GB archive that won't fit in RAM | CLI | 7z/zip stream; zip.js buffers the Blob in memory |
| Nightly CI job, thousands of archives | CLI | Scriptable, headless, no interactive page |
| You want filenames hidden too | CLI (7z -mhe=on, .7z) | ZIP/AE-2 (and JAD) leave entry names readable |
| Recipient expects a plain .zip with password | JAD | AE-2 in a .zip is the most widely-readable encrypted form |
Cookbook
Side-by-side commands and their JAD equivalent. The goal: produce the same AES-256-in-ZIP output JAD makes.
The trap: zip -e gives you broken crypto
On most Linux/macOS systems zip -e does NOT make AES — it makes legacy ZipCrypto, which is trivially breakable. JAD never does this.
$ zip -e secret.zip report.pdf Enter password: ******** → secret.zip uses ZipCrypto (BROKEN) JAD equivalent (real AES-256): /archive-tools/encrypted-zip-creator drop report.pdf → password → Generate → encrypted.zip
Matching JAD with 7-Zip's ZIP AES
To produce the same AE-2 AES-256-in-ZIP that JAD outputs, use 7-Zip's ZIP-format AES, not its native .7z.
# Closest CLI equivalent to JAD's output: $ 7z a -tzip -mem=AES256 -p out.zip ./files # NOT the same container: $ 7z a -p out.7z ./files # → .7z, not .zip JAD: always -tzip + AES256, no flags to remember.
Hiding filenames — a CLI-only capability
JAD (and any AE-2 ZIP) leaves entry names readable. If you must hide names, that is a 7z .7z feature, not something this tool does.
$ 7z l encrypted.zip # JAD output: names visible, data locked report.pdf contract.docx $ 7z a -mhe=on -p vault.7z ./files # names hidden — .7z only Workaround in JAD: zip files into one inner archive under a generic name, then encrypt that single file here.
Verifying the JAD archive is standard
Prove there is no JAD-specific wrapper: any standard reader opens it. archive-password-tester does the same in-browser.
# Anywhere with a recent unzip: $ unzip -P 'correct-horse-battery-staple' encrypted.zip inflating: report.pdf # Or in-browser, no CLI: /archive-tools/archive-password-tester → enter password → PASS
Size ceiling: when the CLI wins
zip.js builds the result Blob in memory, so very large jobs are memory-bound. The CLI streams.
12 GB dataset: CLI: 7z a -tzip -mem=AES256 -p out.zip ./data ✓ streams JAD: exceeds the 2 GB per-file tier ceiling and tab RAM Under ~500 MB (Pro) / 2 GB (Pro+Media/Developer): JAD is fine.
Edge cases and what actually happens
Assuming zip -e equals JAD
Cipher mismatchzip -e on Info-ZIP produces ZipCrypto, not AES. It is breakable in seconds and is NOT equivalent to JAD's AES-256 output. To match JAD on the CLI you need 7z a -tzip -mem=AES256 or WinZip — not the GNU zip command.
Confusing .7z output with a ZIP
Wrong container7z a out.7z writes a 7-Zip container, not a ZIP. JAD always writes a .zip (filename encrypted.zip) with AE-2 AES entries. If the recipient expects a password-protected ZIP, the .7z will confuse non-7-Zip tooling. JAD removes this ambiguity.
Old unzip can't read AE-2
Reader too oldBoth JAD output and 7z -tzip -mem=AES256 use the AES extra field 0x9901. Ancient unzip builds predate it and report 'unsupported compression method' or a false 'wrong password'. Use a current unzip, 7-Zip, or Keka. The format is correct; the reader is the problem.
Filenames not hidden in either AES-ZIP
By designAE-2 (JAD and 7z -tzip) encrypts contents, not entry names. Header encryption (-mhe=on) is a .7z-only feature. If hiding names matters, use 7z to a .7z, or wrap-then-encrypt a single inner archive in JAD.
CLI scripted, JAD interactive
Automation gapThe page is interactive. CI/cron pipelines that need fully unattended encryption of thousands of archives are a CLI job. Paid JAD tiers can route to the local @jadapps/runner, but the page-driven flow is not a drop-in 7z replacement for batch automation.
JAD blocked on free tier
Upgrade requiredUnlike the CLI (free), JAD's Encrypted ZIP Creator is minTier: pro — free users see a plan overlay. Factor that into the comparison: the CLI has zero licence cost (except WinZip), JAD needs a Pro subscription.
Memory limit on huge inputs
Memory boundzip.js assembles the encrypted result as an in-memory Blob, capped by the 2 GB per-file tier limit and the browser's allocation. CLI tools stream and have no such ceiling. For multi-GB encryption, the CLI is the right tool.
Compression level: CLI exposes it, JAD doesn't
Not exposedOn the CLI you can tune -mx=0..9. JAD's Encrypted ZIP Creator has no level control in its options panel and the handler ignores compressionLevel — deflate runs at the zip.js default. If level tuning matters, that is a CLI advantage (or use JAD's smart-archive-compressor, which has a level slider but no encryption).
Frequently asked questions
Is JAD's output the same as 7z's encrypted ZIP?
When 7-Zip writes a ZIP with -tzip -mem=AES256, yes — both produce WinZip AE-2 AES-256 entries (extra field 0x9901). 7-Zip's *native* .7z container is different and is not what JAD outputs. JAD always writes a .zip.
Why not just use zip -e on the command line?
Because zip -e on Info-ZIP makes legacy ZipCrypto, which is broken — a known-plaintext attack recovers the password in seconds, and GNU zip can't make AES at all. JAD always makes AES-256, so there is no risk of accidentally shipping weak crypto.
Can the CLI do something JAD can't?
Yes: stream multi-GB archives without buffering in RAM, run fully unattended in CI/cron, tune the deflate level, and (via 7z -mhe=on to a .7z) encrypt the filenames themselves. JAD trades those for zero-install convenience and guaranteed AES-256.
Can JAD do something the CLI struggles with?
Run on a machine where you cannot install software, with no licence and no terminal — and guarantee strong AES without remembering the right flags. The 0 bytes uploaded badge confirms it stays local, like the CLI, but with no binary on disk.
Will my recipient need the same tool I used?
No. Whether you used JAD or 7z -tzip -mem=AES256, the result is a standard AES-256 ZIP. Any modern unzipper (7-Zip, Keka, WinZip, current unzip) opens it with the password. There is no tool lock-in on either side.
Does JAD let me pick the AES key size like the CLI?
No. The CLI lets you choose AES-128/192/256; JAD hardcodes strength 3 (AES-256) and shows 'AES-256 strength is fixed at maximum.' That is intentional — it removes the chance of shipping a weaker key by mistake.
Which is faster?
For small/medium inputs the difference is negligible — both are local. For very large archives the CLI is faster and lighter because it streams, while zip.js buffers the result as a Blob. Above the 2 GB per-file tier ceiling, only the CLI is viable.
Are the JAD outputs interchangeable with CLI outputs?
Yes, for AES-256-in-ZIP. A JAD encrypted.zip and a 7z a -tzip -mem=AES256 ZIP are both AE-2 archives — either tool, or a third unzipper, opens both with the password. Verify with archive-password-tester.
Can I hide the filenames like 7z -mhe?
Not in a ZIP. Header encryption is a .7z feature; AE-2 ZIPs (JAD and 7z -tzip) leave entry names readable. To hide names in JAD, first combine everything into one inner archive under a generic name, then encrypt that single file.
Is JAD free like the zip command?
No. zip/7z are free; JAD's Encrypted ZIP Creator is minTier: pro and shows a plan overlay to free users. WinZip on the CLI is also paid, so the cost picture depends which CLI you mean.
Can I script JAD instead of the CLI?
Paid tiers can route jobs to the local @jadapps/runner (a short-lived headless Chromium running the same zip.js engine), but the page is interactive and is not a drop-in 7z replacement for unattended batch pipelines. For heavy automation, the CLI remains the better fit.
How do I get an integrity hash like sha256sum?
Run the downloaded encrypted.zip through checksum-generator for SHA-256 / SHA-1 / MD5 — the in-browser equivalent of sha256sum encrypted.zip to publish alongside the file.
Privacy first
Every JAD Archive tool runs entirely in your browser using fflate, @zip.js/zip.js, and the libarchive WASM bridge. Your archives never leave your device — verified by zero outbound network requests during processing.