Does password protecting an archived file actually encrypt it?

Summary: yes, but use VeraCrypt instead.


From the documentation:

WinRAR offers you the benefit of industry strength archive encryption using AES (Advanced Encryption Standard) with a key of 128 bits.

So yes, the data is encrypted. This is only one of the elements of security, however. Another important element is how the key is derived from the password: what kind of key strengthening is performed? The slower the derivation of the key from the password, the more costly it is for an attacker to find the password (and hence the key) by brute force. A weak password is toast anyway, but good key strengthening can make the difference for a reasonably complex but still memorable password. WinRAR uses 262144 rounds of SHA-1 with a 64-bit salt, that's good key strengthening.

An academic paper has been written on the security of WinRAR: On the security of the WinRAR encryption feature by Gary S.-W. Yeo and Raphael C.-W. Phan (ISC'05). Quoting from the abstract (I haven't read the full text, it doesn't seem to be accessible without paying):

In this paper, we present several attacks on the encryption feature provided by the WinRAR compression software. These attacks are possible due to the subtlety in developing security software based on the integration of multiple cryptographic primitives. In other words, no matter how securely designed each primitive is, using them especially in association with other primitives does not always guarantee secure systems. Instead, time and again such a practice has shown to result in flawed systems. Our results, compared to recent attacks on WinZip by Kohno, show that WinRAR appears to offer slightly better security features.

The advantage of using the encryption built into the RAR format is that you can distribute an encrypted RAR archive to anyone with WinRAR, 7zip or other common software that supports the RAR format. For your use case, this is irrelevant. Therefore I recommend using a software that is dedicated to encryption.

The de facto standard since you're using Windows was TrueCrypt. TrueCrypt provides a virtual disk which is stored as an encrypted file. Not only is this more secure than WinRAR (I trust TrueCrypt, which is written with security in mind from day 1, far more than any product whose encryption is an ancillary feature), it is also more convenient: you mount the encrypted disk by providing your password, then you can open files on the disk transparently, and when you've finished you unmount the encrypted disk. Sadly TrueCrypt is no longer in active development but it's successor VeraCrypt is. VeraCrypt is based on TrueCrypt and is compatible with the old TrueCrypt containers.


Out of curiousity can what someone writes in their journal be used to incriminate someone in court?

This depends on the jurisdiction, but in general, yes, as they say in the movies, anything you say or write can be used against you. You may be legally compelled to reveal encryption keys, and may face further charges if you refuse.


From WinRAR benefits page:

WinRAR offers you the benefit of industry strength archive encryption using AES (Advanced Encryption Standard) with a key of 128 bits.

So yes, using password protection encrypts your file too. 7-Zip uses AES-256 encryption. Another approach to protect your files could be creating encrypted file (or disk) using TrueCrypt, where you can choose encryption algorithm that suits your needs.

Just remember to use strong password to prevent brute-force attack.


You mention "docx" so I assume that you are on Office 2007 or 2010. The encryption mechanism implemented there is OK, you must make sure that your password is strong enough. In other words you do not need to use an external program to protect your file.

A Stack Overflow question covered the encryption algorithms for Office. This is closed-source code so if you are paranoid you should use TrueCrypt.

As for the second part of the question: it completely depends on the legal system you are in. There are two aspects to take into account:

  • whether it is legal to use the content against you (no matter if it is encrypted or not)
  • what happens if you do not give the encryption key and the crypto part is strong enough / correctly implemented so that access is not possible without it.