7z - Encrypted and Multi-Part Archives

7z (7-Zip) is a high-compression archiver that shines when you need encryption (AES-256), multi-part archives for upload limits, or maximum compression for cold storage. For Linux-native backups where permissions/ownership matter, consider combining tar (to capture metadata) with 7z (to encrypt/split/compress).

Quick Summary

• Install: p7zip-full (Debian/Ubuntu) or p7zip (RHEL family).
• Create: 7z a backup.7z /path/to/data.
• Encrypt: prefer 7z a -p -mhe=on secure.7z /path/to/data (password prompt).
• Split: 7z a -v5g split.7z /path/to/data.
• Verify: 7z t backup.7z.
• Extract: 7z x backup.7z -o/tmp/restore-test.

When to use 7z (and when not to)

Use 7z when:

• You need encryption at rest for backups stored off-host.
• You need multi-part archives (for example, 2GiB or 5GiB chunks).
• You want higher compression than gzip for archival storage.

Prefer tar/tar.zst when:

• You want a Linux-native directory backup that restores quickly.
• You care about Unix metadata (owners/groups/modes) and predictable restores.

Install

Debian/Ubuntu

install-7zip-debian.sh

sudo apt update
sudo apt install -y p7zip-full

RHEL/Rocky/Alma

install-7zip-rhel.sh

sudo dnf install -y p7zip p7zip-plugins

Confirm the binary is available:

check-7z-version.sh

7z | head -n 3

Core syntax

1. Create an archive

7z-create-archive-001.sh

7z a [ARCHIVE_NAME].7z [SOURCE_PATHS...]

# Example:
# 7z a /home/wpbackup/wp-files.7z /var/www/html
# Input directory: /var/www/html
# Output file: /home/wpbackup/wp-files.7z

2. Create a compressed archive with maximum compression

7z-create-max-compression-002.sh

7z a -mx=[LEVEL] [ARCHIVE_NAME].7z [SOURCE_PATHS...]

# Example:
# 7z a -mx=9 /home/wpbackup/wp-files-max.7z /var/www/html
# Input directory: /var/www/html
# Output file: /home/wpbackup/wp-files-max.7z
# Level range: 1 (fastest) to 9 (best compression)

3. Create an encrypted archive (password prompt)

7z-create-encrypted-archive-003.sh

7z a -p -mhe=on [ARCHIVE_NAME].7z [SOURCE_PATHS...]

# Example:
# 7z a -p -mhe=on /home/wpbackup/wp-files-secure.7z /var/www/html
# Input directory: /var/www/html
# Output file: /home/wpbackup/wp-files-secure.7z
# -p         → prompts for password (do NOT use -pPASSWORD inline)
# -mhe=on    → also encrypts file names inside the archive

4. Create a split (multi-volume) archive

7z-create-split-archive-004.sh

7z a -v[SIZE] [ARCHIVE_NAME].7z [SOURCE_PATHS...]

# Example:
# 7z a -v5g /home/wpbackup/wp-files-split.7z /var/www/html
# Input directory: /var/www/html
# Output parts: /home/wpbackup/wp-files-split.7z.001, .002, .003 ...
# Size units: k (KB), m (MB), g (GB)

5. Create an encrypted + split archive (recommended for off-host backups)

7z-create-encrypted-split-archive-005.sh

7z a -p -mhe=on -v[SIZE] [ARCHIVE_NAME].7z [SOURCE_PATHS...]

# Example:
# 7z a -p -mhe=on -v2g /home/wpbackup/wp-files_$(date +%F).7z /var/www/html
# Input directory: /var/www/html
# Output parts: /home/wpbackup/wp-files_2025-10-07.7z.001, .002 ...

6. List contents of an archive

7z-list-archive-contents-006.sh

7z l [ARCHIVE_NAME].7z

# Example:
# 7z l /home/wpbackup/wp-files.7z
# Input file: /home/wpbackup/wp-files.7z
# Output: file list with sizes and dates printed to terminal

7. Test integrity of an archive

7z-test-archive-integrity-007.sh

7z t [ARCHIVE_NAME].7z

# Example:
# 7z t /home/wpbackup/wp-files.7z
# Input file: /home/wpbackup/wp-files.7z
# Output: "Everything is Ok" on success, CRC errors on corruption

8. Extract an archive (with full paths) to a staging directory

7z-extract-archive-to-staging-008.sh

7z x [ARCHIVE_NAME].7z -o[OUTPUT_DIRECTORY]

# Example:
# 7z x /home/wpbackup/wp-files.7z -o/tmp/restore-test
# Input file: /home/wpbackup/wp-files.7z
# Output directory: /tmp/restore-test
# Note: -o has no space before the path

9. Extract a split archive (point at the first part)

7z-extract-split-archive-009.sh

7z x [ARCHIVE_NAME].7z.001 -o[OUTPUT_DIRECTORY]

# Example:
# 7z x /home/wpbackup/wp-files-split.7z.001 -o/tmp/restore-test
# Input: /home/wpbackup/wp-files-split.7z.001 (7z auto-reads remaining parts)
# Output directory: /tmp/restore-test

10. Create an archive excluding cache directories

7z-create-archive-exclude-cache-010.sh

7z a [ARCHIVE_NAME].7z [SOURCE_PATHS...] -xr!'[EXCLUDE_PATTERN]'

# Example:
# 7z a /home/wpbackup/wp-files.7z /var/www/html \
#   -xr!'wp-content/cache' \
#   -xr!'wp-content/*/cache' \
#   -xr!'wp-content/uploads/cache'
# Input directory: /var/www/html
# Output file: /home/wpbackup/wp-files.7z (without cache directories)

11. Bundle database dump + files into one encrypted archive

7z-bundle-db-and-files-011.sh

mysqldump --single-transaction -u [USER] -p [DATABASE] > [TEMP_PATH]/[DB_NAME].sql && \
7z a -p -mhe=on [ARCHIVE_NAME].7z [SOURCE_PATHS...] [TEMP_PATH]/[DB_NAME].sql

# Example:
# mysqldump --single-transaction -u DB_USER -p DB_NAME > /tmp/wp-db.sql && \
# 7z a -p -mhe=on /home/wpbackup/wp-full_$(date +%F).7z /var/www/html /tmp/wp-db.sql
# Input: WordPress files + database dump
# Output: /home/wpbackup/wp-full_2025-10-07.7z

12. Tar first (preserve metadata), then encrypt with 7z

7z-tar-then-encrypt-012.sh

tar -C [SOURCE_DIRECTORY] -cf [TEMP_PATH]/[ARCHIVE_NAME].tar . && \
7z a -p -mhe=on -v[SIZE] [ARCHIVE_NAME].tar.7z [TEMP_PATH]/[ARCHIVE_NAME].tar

# Example:
# tar -C /var/www/html -cf /tmp/wp-files.tar . && \
# 7z a -p -mhe=on -v5g /home/wpbackup/wp-files_$(date +%F).tar.7z /tmp/wp-files.tar
# Input directory: /var/www/html
# Output parts: /home/wpbackup/wp-files_2025-10-07.tar.7z.001, .002 ...
# Why: tar preserves Unix ownership/permissions; 7z adds encryption and splitting

Common tasks

Create an archive

create-7z-archive.sh

7z a /backups/wp-files.7z /var/www/html

List contents

list-7z-contents.sh

7z l /backups/wp-files.7z

Test integrity

test-7z-archive.sh

7z t /backups/wp-files.7z

Expected success string:

example-7z-test-ok.txt

Everything is Ok

Extract safely to a staging directory

warning

Extraction can overwrite files. Extract to an empty directory first (for example /tmp/restore-test/) and validate before copying into place.

extract-7z-to-staging.sh

sudo rm -rf /tmp/restore-test
sudo mkdir -p /tmp/restore-test
7z x /backups/wp-files.7z -o/tmp/restore-test

Encrypt an archive

Prefer a password prompt to avoid leaking secrets into shell history and process listings.

create-encrypted-7z-archive.sh

7z a -p -mhe=on /backups/wp-files-encrypted.7z /var/www/html

warning

Avoid -pPASSWORD on the command line. It can leak via shell history and ps output.

Split into parts

create-split-7z-archive.sh

7z a -v5g /backups/wp-files-split.7z /var/www/html

This produces files like:

example-7z-split-parts.txt

wp-files-split.7z.001
wp-files-split.7z.002
wp-files-split.7z.003

To extract split archives, point 7z at the first part:

extract-split-7z-archive.sh

7z x /backups/wp-files-split.7z.001 -o/tmp/restore-test

Increase compression and control CPU threads

high-compression-multithreaded-7z.sh

7z a -mx=9 -mmt=8 /backups/wp-files-max.7z /var/www/html

WordPress-friendly pattern: tar first, then 7z

If you want to preserve Unix metadata and still use encryption/splitting, archive with tar first.

create-tar-then-encrypt-with-7z.sh

sudo tar -C /var/www/html -cf /backups/wp-files.tar .
7z a -p -mhe=on -v5g /backups/wp-files.tar.7z /backups/wp-files.tar

Advanced: store a streamed tar inside a 7z archive

This avoids writing an intermediate tar file, but it is harder to reason about under stress.

stream-tar-into-7z.sh

sudo tar -C /var/www/html -cf - . | 7z a -siwp-files.tar /backups/wp-files.7z

Quick lab: encrypted, split archive for transfer

This lab creates an encrypted archive split into 2GiB parts and validates it.

1. Create a staging backup directory.

create-backup-staging-dir.sh

sudo mkdir -p /backups

2. Create the archive (password prompt).

create-encrypted-split-7z-archive-lab.sh

7z a -p -mhe=on -v2g \
  "/backups/wp-files-$(date +%F).7z" \
  /var/www/html

3. Confirm parts exist.

list-created-7z-parts.sh

ls -1 "/backups/wp-files-$(date +%F).7z"*

4. Test integrity using the first part.

test-split-7z-archive-lab.sh

7z t "/backups/wp-files-$(date +%F).7z.001"

5. Extract to a staging directory.

extract-split-7z-archive-lab.sh

sudo rm -rf /tmp/restore-test
sudo mkdir -p /tmp/restore-test
7z x "/backups/wp-files-$(date +%F).7z.001" -o/tmp/restore-test

Excluding files and directories

7-Zip supports exclude patterns. For WordPress, you typically exclude cache directories (but keep uploads).

exclude-common-wordpress-caches-7z.sh

7z a -p -mhe=on /backups/wp-files.7z /var/www/html \
  -xr!'wp-content/cache' \
  -xr!'wp-content/*/cache' \
  -xr!'wp-content/uploads/cache'

Including a database dump

It is common to store the database dump next to the file archive, but you can include it inside the same encrypted archive.

warning

Avoid putting database passwords directly on the command line. Prefer interactive prompts or a dedicated MySQL config file.

Example (two-step, easy to validate):

dump-db-and-archive-with-7z.sh

sudo mkdir -p /backups
mysqldump --single-transaction -u DB_USER -p DB_NAME > /backups/wp-db.sql
7z a -p -mhe=on /backups/wp-full.7z /var/www/html /backups/wp-db.sql

If you used tar first (metadata-friendly):

tar-then-7z-with-db.sh

sudo tar -C /var/www/html -cf /backups/wp-files.tar .
mysqldump --single-transaction -u DB_USER -p DB_NAME > /backups/wp-db.sql
7z a -p -mhe=on -v5g /backups/wp-full.tar.7z /backups/wp-files.tar /backups/wp-db.sql

Restore runbook (high signal)

1. Validate the archive first (7z t).
2. Extract to a staging directory.
3. Confirm expected files exist (for example, wp-content/uploads/).
4. Only then copy into place and restore the database.

restore-runbook-7z.sh

7z t /backups/wp-full.7z
sudo rm -rf /tmp/restore-test
sudo mkdir -p /tmp/restore-test
7z x /backups/wp-full.7z -o/tmp/restore-test

Option reference (selected)

Item	Meaning	Example
a	Add/create archive	7z a out.7z dir/
x	Extract with paths	7z x out.7z -o/tmp/restore-test
e	Extract without paths	7z e out.7z -o/tmp/restore-test
l	List contents	7z l out.7z
t	Test integrity	7z t out.7z
-p	Prompt for password	7z a -p secure.7z dir/
-mhe=on	Encrypt headers (file names)	7z a -p -mhe=on secure.7z dir/
-mx=1..9	Compression level	7z a -mx=9 out.7z dir/
-mmt=N	Thread count	7z a -mmt=8 out.7z dir/
-vSIZE	Split volumes	7z a -v2g out.7z dir/
-xr!PAT	Exclude pattern	-xr!'wp-content/cache'

Common pitfalls

• Archiving absolute paths: can restore into unexpected locations.
• Encrypting without -mhe=on: file names remain visible.
• Splitting parts but uploading missing .002/.003: extraction will fail.
• Using maximum compression during peak traffic: can spike load and impact PHP/MySQL.

Troubleshooting

Symptom	Likely cause	Fix
Everything is Ok is missing	Archive corrupted or incomplete	Re-transfer the file(s), then re-run 7z t
CRC Failed	One or more parts corrupted	Re-download the missing part(s)
Wrong password?	Incorrect password or headers encrypted	Confirm password; if -mhe=on is used, listing also requires the password
Compression is extremely slow	Using -mx=9 on small VPS	Lower -mx and/or run off-peak
Restore produces unexpected layout	Archived absolute paths	Prefer tar -C /path ... . patterns before compression

Cheat sheet

Task	Command
Create	7z a out.7z /path/to/dir
Encrypt (prompt)	7z a -p -mhe=on secure.7z /path/to/dir
Split	7z a -v2g out.7z /path/to/dir
List	7z l out.7z
Test	7z t out.7z
Extract	7z x out.7z -o/tmp/restore-test

Mini quiz

1. Which operation lists the contents of a .7z archive?

2. Which option encrypts file names inside the archive?

3. Why might you use tar before 7z?

4. What is the safest default extraction target during a restore drill?