Keep archives compact and confidential by combining tar with modern encryption tools for safe transport and storage. 22.11.2025 | reading time: 3 min Want to send a snapshot of a project or store backups offsite without exposing the files? This short guide shows how to produce and extract encrypted tar archives from the command line so he can compress and encrypt in a single streaming pipeline. Quick real-world demo Follow these commands on a test host to create a demo folder, build a compressed tar stream and encrypt it with GnuPG or OpenSSL; outputs are shown as expected prompts or listings: ```mkdir -p demo && printf 'top-secret ' > demo/secret.txt && printf 'notes ' > demo/readme.txt # Symmetric GPG: create encrypted archive tar -C demo -czf - . | gpg --symmetric --cipher-algo AES256 -o demo.tar.gz.gpg # Example GPG prompts (interactive): Enter passphrase: Repeat passphrase: # Check file ls -lh demo.tar.gz.gpg # Restore by decrypting to tar gpg -d demo.tar.gz.gpg | tar -C restored -xzf - # OpenSSL approach: create encrypted archive (uses password prompt) tar -C demo -czf - . | openssl enc -aes-256-cbc -pbkdf2 -iter 100000 -salt -out demo.tar.gz.enc # Decrypt and extract openssl enc -d -aes-256-cbc -pbkdf2 -iter 100000 -in demo.tar.gz.enc | tar -C restored2 -xzf -``` Why streaming matters Streaming the tarball into an encryption tool avoids temporary unencrypted files and reduces disk I/O; he can pipe `tar` to `gpg` or `openssl` and extract with the reverse pipeline, which is handy for large data sets or constrained storage. Important caveats and options Prefer GnuPG for built-in integrity checks and public-key encryption when he needs to share with others; if he uses OpenSSL, always enable modern KDFs like `-pbkdf2` and many iterations, and remember OpenSSL "enc" lacks authenticated encryption so add an HMAC or use an authenticated primitive or tool for high assurance. Compression and permissions Compress before encryption (pipe `tar -czf -`) so the encrypted output is not compressible; preserve ownership and permissions with `-p` or `--same-owner` when restoring as root, and use `--exclude` to skip sensitive transient files like sockets or caches. When public keys help For team workflows he should use public-key encryption: create the tar stream and encrypt to recipients with `gpg --encrypt --recipient alice@example.com`, which produces archives only decryptable by the recipients' private keys and avoids shared passphrases. Other practical tips Consider integrity-first tools (age, gpg) for transport, store checksums alongside encrypted archives, and automate archive rotation with simple scripts or cron jobs that call `tar` and your chosen encryptor in a pipeline to avoid leaving plaintext on disk. Join Bits & Bytes Academy First class LINUX exam preparation. utilities security backup storage filesystem
