Small scripts for safe data transfer when simplicity, reproducibility, and a minimal dependency set matter.
| Path | Purpose |
|---|---|
scripts/*.nu |
Nushell scripts |
ci/*.nu |
CI scripts written in Nushell |
.github/workflows/ci.yml |
GitHub Actions workflow for the smoke test |
docker/ |
Project Docker images |
tasks/*.yml |
Taskfile tasks |
Taskfile.yml |
Root Taskfile with project task includes |
Files such as *.rar, *.zip, *.7z, *.tar.gz, and *.txt should not be committed to Git. This is intentional: the repository should store scripts, not transferred data, checksums, or temporary artifacts.
Requirements
Two commands must be available in PATH:
nu- Nushell;7z- 7-Zip.
Windows:
winget install Nushell.Nushell
winget install 7zip.7zipmacOS с Homebrew:
brew install nushell
brew install sevenzipLinux:
# Debian/Ubuntu
sudo apt install nushell 7zip
# Arch Linux
sudo pacman -S nushell 7zipCheck the installation:
nu --version
7zIf 7z is not found, add the 7-Zip installation directory to PATH. On Windows, this is usually:
C:\Program Files\7-Zip
Quick start
Create an encrypted archive:
nu scripts/encrypt_archive.nu input.zip output.7z "your-strong-password"The script:
- removes the old destination file if it already exists;
- creates a new
7zarchive; - enables header encryption with
-mhe=on; - creates a checksum file next to the archive.
Example output:
output.7z
output.7z_2026-05-26_sha256.txt
Important
The script uses
7z a -t7z, so the actual output format is7z. You can use any output file name, but the.7zextension is recommended so the name matches the contents.
Command format
nu scripts/encrypt_archive.nu <src> <dst> <key>Parameters:
| Parameter | Purpose |
|---|---|
src |
Source file or archive to protect |
dst |
Path to the output encrypted archive |
key |
Encryption password |
Example:
nu scripts/encrypt_archive.nu data.zip data_encrypted.7z "correct horse battery staple"src and dst must be different files. The script intentionally stops if the input and output paths are the same.
Integrity check
After the archive is created, a file appears next to it:
<dst>_<date>_sha256.txt
It stores the archive name and its SHA-256 hash. This file lets the recipient verify that the archive was not damaged or replaced during transfer.
Check the hash manually in Nushell:
open output.7z --raw | hash sha256Compare the result with the value in output.7z_YYYY-MM-DD_sha256.txt.
Decryption check
Before sending the archive, it is useful to confirm that it opens with the password you plan to share with the recipient:
7z t output.7z -p"your-strong-password"Extract the archive:
7z x output.7z -p"your-strong-password"If the password contains spaces or special characters, keep the quotes.
Run with Docker
Build and run the container version:
docker compose --profile archive run --rm --build encrypt-archive input.zip output.7z "your-strong-password"The same command through Task:
task encrypt_archive:run -- input.zip output.7z "your-strong-password"-- separates task arguments from arguments passed to task itself.
The container mounts the project root at /workspace, so input and output paths are relative to the repository root.
CI and smoke tests
CI builds the Docker image from docker/encrypt_archive/Dockerfile and runs the Nu script:
nu ci/smoke.nuThe smoke test creates a temporary test file, encrypts it with scripts/encrypt_archive.nu, verifies the SHA-256 file, runs 7z t, extracts the archive, and compares the extracted payload with the original.
You can run the same path locally as GitHub Actions:
docker build --file docker/encrypt_archive/Dockerfile --tag safe-archive-ci .
docker run --rm --entrypoint nu --volume "${PWD}:/workspace" --workdir /workspace safe-archive-ci ci/smoke.nuTemporary files are created in .tmp/ci-smoke.
- Prepare the source file or archive.
- Create an encrypted
7zarchive withscripts/encrypt_archive.nu. - Verify test opening with
7z t. - Send the encrypted archive and the
SHA-256file to the recipient. - Send the password separately from the archive, through another channel.
- Ask the recipient to verify the hash before extraction.