Encrypting a single file?

If I wanted to create a file in Qubes, encrypt it, then move it off the Qubes machine. What would be the best practice methodology to do this? Would you use Veracrypt or LUKS or…?

Hi, for a single file LUKS nor Veracrypt are very adapted. Both are made for volume encryption, for single file encryption you could always use PGP or mcrypt depending on your needs.


Hi user00,

as KileXt said, PGP is the way to go for a single file.

Maybe this article helps:


Or just use 7zip encryption, if it’s nothing too important.

1 Like

That sounds as if it was somehow insecure to use 7zip. Although I don’t know if it has ever undergone a formal security audit, 7zip uses strong AES256 encryption, instead of for example WinZip.
7zip can also encrypt the filenames inside of an archive.

I’d say for regular use cases it is just as secure as GPG encryption and, for less tech-savvy users, it is probably easier to use. I for example often use it to exchange confidential documents with customers.

Agree with @phl running:
7za a "FILENAME.7z" *.txt -p -mhe=on
Is pretty simple and straight forward.

A quick and very secure option is also using KeePassXC.
With KeePassXC you have a kind of(!) encrypted container file.

  • encryption with transform rounds settings
  • optionally add (or only; if password kept empty) a keyfile or Yubikey

You mean just add the text to a kdbx?

Hmm. I am trying to use 7za in Whonix but seems to be using Xarchive to compress/extract and it seems very buggy with passwords. Am I missing something?

Yes, you can add any file as attachment to kdbx (maybe there is a file limit) or add ASCII text in the Note section.

14 Oct 2020, 17:36 by qubes_os@discoursemail.com:

You need to install 7z to template VM first.

You can search the web for “install 7z fedora”. I guess it is named p7z …

Sorry, I just replying with my mobile directly by email.

14 Oct 2020, 17:59 by qubes_os@discoursemail.com:

I don’t know what the package is named in Whonix. In fedora it’s something like p7zip-full.
@whoami already posted the command line approach of encrypting files with 7z, but I am sure there also is a neat GUI integration for those who prefer it. Unfortunately, I don’t have any experience with this.

I have installed Ark on the Fedora template which can also encrypt to .7z from within a gui.

The best solution depends on the details of your use case. As described, there’s nothing Qubes-specific involved, so whichever solution is best for your domU will do.

However, since no one has mentioned qvm-backup so far, I’d like to point out that it also does what you ask. :slightly_smiling_face: