To extract a password-protected ZIP, drop it into Zro7 Extract Archive. When libarchive.js hits an encrypted entry, a password prompt appears; type it once and the archive decrypts locally. Both AES-256 (WinZip AE-2) and legacy ZipCrypto are supported. The password lives in memory only and never leaves your browser.
The two encryption schemes you'll meet
- AES-256 (WinZip AE-2) — modern, secure. Produced by WinZip, 7-Zip, macOS Archive Utility, and Zro7 Create ZIP.
- ZipCrypto — the legacy scheme Windows Explorer's Send to → Compressed folder still uses. Cryptographically weak but universally supported.
What Zro7 handles automatically
- Detects the encryption type from the entry header.
- Prompts for a password on the first encrypted entry, then reuses it for the rest.
- Extracts selected entries or the whole archive.
- Reports the exact entry that fails if the password is wrong.
Filenames aren't secret
Standard ZIP encryption leaves filenames in plaintext in the central directory. Zro7 Inspect Archive shows them without needing the password. If your filenames themselves are sensitive, use a 7z container with encrypt filenames enabled.
Forgot the password?
There's no recovery. AES-256 has no back door, and even ZipCrypto attacks (Biham-Kocher, plaintext attack) require ~13 GB of RAM and matching known plaintext — beyond a browser tab. Ask the sender to re-send with a fresh password.
Why local matters
Cloud unlockers (unzip-online, ezyzip) receive both the encrypted archive and the password. Even with HTTPS the operator sees plaintext of both, which nullifies the encryption you paid for. Browser-side decryption keeps both on your device.
Steps
- Open Extract Archive.
- Drop the encrypted ZIP.
- Enter the password when prompted; extract entries.
Zro7