How to avoid local caches when I open encrypted files

Security is hard. While I applaud your attempts to use commonly available programs to increase your security, software that wasn't expressly designed for security often does the little things wrong (as you found out). In your case, your rar program makes a local cache of the contents, presumably so it'll run faster - something that most users would be happy about.

TL;DR: the single best way to protect yourself from data leakage on a personal computer is to use full-disk encryption (or encrypt your user's folder if it's a shared computer), a strong password for your user account, don't share your account with anyone, and make sure you log out (or at least lock your screen) whenever you step away from the computer. Also, turn on your firewall to make sure that programs aren't uploading data anywhere without your permission. That way, even if you are using programs that do the little things wrong, it doesn't matter.


You asked:

if anytime I open a rar it caches its content, then is the whole encryption pointless?

To answer this question, let's start by asking what problem the rar software is trying to solve by offering this feature. Their goal is to protect the data while it's in motion; ie if I rar a scan of my passport and email it to someone, I want to make sure that nobody can open it unless I give them the password. This feature assumes that the endpoints are secure, meaning that once somebody types in the password, its job is done.

In fact, once it decrypts / unarchives the files and saves them to disk there's really no point in even trying to protect them anymore because every other program on your system can see them. For example, Windows Explorer will index and process the photos in order to display thumbnail previews, leaving cache files behind. And what about actually opening the photos? Which photo viewer will you use? Are you the programmer who wrote it? If not, how do you know that the photo viewer will not make cache files? Or maybe upload your files to the internet? The point is: unless you've personally inspected the source code of every program that's running on your computer (including the OS itself), any one of them could be doing naughty things with your data.

That kind of paranoia is exhausting. Just lock down your user account so that nobody but you can see the data, and let your programs do whatever they want.


This works as designed, because WinRAR must send a plaintext version of the encrypted file to be processed. It's not a flaw. Lets see why.

  • You have a password protected rar file

    In this point, all the data are inside the rar, encrypted and protected. Nobody can read them.

  • You open the rar file on WinRAR

    In this point, all data are still protected, and only WinRAR can read the data. But you need to open an image.

  • You double click the image

    Winrar will need to decrypt and extract the image before opening it, as your image program cannot read the encrypted and compressed data. WinRAR creates a temporary file, and tells your image program to read it.

  • You close WinRAR, and the image program

    The image is kept there, intact. The default operation of WinRAR does not wipe the temporary files after closing.

To make WinRAR delete the temporary file, you must go to Options -> Security and tell it to always wipe temporary files.

Or you can program a secure viewer, that uses rar libs to process the encrypted rar file, decrypts and decompresses the files, and renders the result without writing a cache file. It's easily doable if you are a programmer.


The answer should be obvious. The un-encrypted contents should never be written to disk. It should be stored in memory as long as it is needed. It can be paged memory if it is very large, but that should not normally be an issue as the kinds of files we are talking about will usually be text files, so will be relatively small. I have had the same issue with my text files being plainly stored in the temp directory. Totally unacceptable! And discovered only by accident. I will look for a more reliable compression utility, not 7zip!