Encrypting CUIE Files for External Use

This article should be used in conjunction with the CUI Environment tiCrypt User Guide. The instructions below outline how to encrypt files intended for use outside of the Controlled Unclassified Information Environment (CUIE). This protects the confidentiality of the files to be shared. Be sure to reference your Technology Control Plan (TCP) as well for specific guidance on transferring data to ensure that you are in compliance with your system requirements.

How to use 7-Zip to encrypt files and folders

7-Zip is an open source software used to compress or zip files secured with encryption. When you send or transfer files that contain personally identifiable information (PII) or other sensitive data, the files must be encrypted to ensure that they are protected from unauthorized disclosure. 7-Zip creates a container called an archive that holds the files to be protected. That archive can be encrypted and protected with a password.

  1. Right click on the file/folder to be encrypted. Select 7-Zip then Add to archive….

    'Add to archive' button highlighted in the 7-Zip drop-down of the right-click menu.

  2. In the Add to Archive window change the name of the archive you wish to create.


  3. Change the Archive format to .zip.


  4. Change the Encryption Method to AES-256. There is a trade-off between using AES-256 and ZipCrypto. AES-256 is more secure than ZipCrypto but if you select AES-256, the recipient of the ZIP file may have to install 7-zip or another zip program to read the file contents. Selecting ZipCrypto may allow users to open the ZIP file in Windows without a zip program, but it does not provide adequate protection against attackers with modern cracking tools. It is strongly recommended that you use AES-256 to protect sensitive data.


  5. Enter a password. Use a strong password with at least 8 characters containing upper and lowercase letters, and a minimum of one number.


  6. Select Ok to create the encrypted archive file. The new archive file will be located in the same folder as the original. Best security practices recommend that you do not email the password with the ZIP file as it could be intercepted in transit. It is better to call the recipient of the ZIP file and convey the password over the phone.

Best practices for sending encrypted data via email

  1. Use a strong, unique password to encrypt files.
  2. When sending the intended receiver encrypted data, be sure to avoid using terms associated with the content in the Subject line or Body of the email.
  3. Send the password that decrypts the files in a separate email. Avoid using terms associated with the content in the Subject line or Body of the email. Or, provide the password via phone, directly to the intended receiver.
  4. Confirm the encrypted file has been received and decrypted with the user.
  5. Use a new password each time an encrypted file must be sent via email again. Avoid using the same passwords for the same files.