PowerArchiver uses the Microsoft CryptoAPI Enhanced Cryptographic Provider — NIST CMVP certified, validated under FIPS 140-2. This is the same crypto module that ships with Windows Server and is used across federal agencies.
NIST CMVP program →DFARS 252.204-7012 mandates FIPS-validated cryptography for Controlled Unclassified Information (CUI). Because PowerArchiver inherits validation from Microsoft CryptoAPI, deployments meet the DFARS technical requirement without separate certification cost or effort.
For federal contractors →PowerArchiver publishes a public Voluntary Product Accessibility Template (VPAT) documenting Section 508 conformance. Required for federally-funded institutions and increasingly mandated by state-level procurement.
Download VPAT (PDF) →| Validation | Authority | Scope | Reference |
|---|---|---|---|
| FIPS 140-2 | NIST CMVP | Cryptographic module (AES, SHA-2, RSA, HMAC) · validation paperwork at Enterprise tier | CMVP cert list |
| DFARS 252.204-7012 | DoD | CUI protection — inherits FIPS 140-2 validation · Enterprise tier | Self-attestation supported |
| Section 508 | Federal accessibility (29 U.S.C. § 794d) | UI accessibility for federally-funded use | VPAT PDF |
| GDPR-aligned | EU GDPR Art. 32 (technical measures) | Encryption at rest & in transit · no PII processing in product | Architecture statement on request |
| FERPA-compatible | U.S. Dept. of Education | Reasonable methods for student-record protection | Architecture statement on request |
| HIPAA-compatible | U.S. HHS | FIPS-validated AES = recognized safeguard for PHI at rest · validation at Enterprise tier | Architecture statement on request |
| DoD wipe (DoD 5220.22-M) | DoD declassification | Built-in secure-erase for source files after archival | Documented in admin guide |
| Format | Encryption | Key strength | Filename encryption | Notes |
|---|---|---|---|---|
| PAE2 | AES-256 (CBC + HMAC) | 256-bit | Yes (default) | Recommended — PA proprietary, FIPS-validated, encrypt-then-MAC |
| 7Z | AES-256 | 256-bit | Yes (optional) | Cross-tool compatible · 7-Zip, p7zip, others |
| ZIP (AES) | AES-256 (WinZip AE-2) | 256-bit | No (ZIP limitation) | Cross-tool compatible · WinZip, 7-Zip, other ZIP-AES tools |
| ZIP (legacy) | ZipCrypto | 96-bit, weak | No | Read-only support · do not use for new archives |
| OpenPGP | AES-256 + RSA-4096 / ECC | 256-bit symmetric, 4096-bit RSA | N/A (PGP file) | Standard OpenPGP (RFC 4880) · interoperable |
Email security@conexware.com with technical details, reproduction steps, and impact assessment. PGP-encrypted email accepted — public key on request.
Initial acknowledgment within 2 business days. Triage and severity assessment within 5 business days. Patch timeline depends on severity — critical issues prioritized for emergency release.
We coordinate public disclosure with the reporter. Default window is 90 days from acknowledgment to public advisory, extendable for complex issues. Reporters receive credit in the advisory unless they request anonymity.
Marketing/web-property issues (powerarchiver.com), social-engineering attacks against ConeXware staff, and physical attacks. We don't operate a paid bug-bounty program, but we credit responsible disclosures publicly.
Security advisories — when issued — are published in PowerArchiver News with the security-advisory tag. Subscribe to the security-advisory feed to receive notifications.
Email compliance@conexware.com with your institution / company and procurement use case. Same-business-day response on standard requests.
The cryptographic module is FIPS 140-2 validated. PowerArchiver delegates all cryptographic operations (AES, SHA, RSA, HMAC) to the Microsoft CryptoAPI Enhanced Cryptographic Provider, which holds the NIST CMVP certification. PowerArchiver-the-application doesn't implement its own crypto, so there's no separate validation needed for the app — the validation that matters (the crypto primitives) is held by Microsoft and inherited by every program using CryptoAPI in FIPS mode. This is the same pattern used by Windows Server, BitLocker, and most enterprise Windows software handling regulated data.
SOC 2 audits a service organization's operational controls — they apply to SaaS / hosted services. PowerArchiver is desktop software that runs on your hardware; we don't operate a service that processes your data. The SOC 2 framework doesn't naturally apply to a product like PowerArchiver. ConeXware (the company) maintains corporate-level operational controls; if your procurement specifically requires SOC 2 attestation as a vendor risk control, contact compliance@conexware.com with the specific control objectives — we can usually map our existing FIPS / DFARS validation chain to your requirements.
Yes. When Windows is configured with the FIPS local-policy flag (HKLMSystemCurrentControlSetControlLsaFipsAlgorithmPolicy), the CryptoAPI provider operates in FIPS-only mode and rejects non-FIPS algorithms. PowerArchiver inherits that mode and limits itself to FIPS-approved algorithms (AES-256, SHA-2, RSA, HMAC). No PowerArchiver configuration needed beyond the OS-level flag.
Legacy ZIP encryption (ZipCrypto, also called PKZIP encryption) is broken under multiple known attacks and shouldn't be used for new archives. PowerArchiver supports it for read compatibility with older archives, but the create-archive UI defaults to AES-256. Admins can lock encryption choice via MSI properties — see the deployment guide for the registry / GPO key that hides the legacy ZipCrypto option from end users entirely.
No. PowerArchiver is desktop software — files stay on your machine. There's no telemetry, no analytics, no cloud upload of file contents. License activation contacts ConeXware once at activation and on optional update checks; that's the only outbound connection in the default configuration. The product never reads your archive contents and transmits them anywhere. This is part of why GDPR / FERPA / HIPAA workflows route around PowerArchiver cleanly — the product isn't a data processor in the regulatory sense.
No. PowerArchiver uses standard cryptographic primitives (AES, RSA, OpenPGP) implemented by Microsoft CryptoAPI. There's no master key, no backdoor, no recovery escrow — if you lose your password or private key, the data is unrecoverable. We can't recover it for you, even with a court order. This is the trade-off of using validated cryptography correctly; it's also why these algorithms are trusted for federally-funded research and DoD-grade workflows.
Coordinated disclosure on a 90-day default window, extendable for complex issues. Reports go to security@conexware.com. Initial acknowledgment within 2 business days, triage within 5. Public advisory follows after the patch ships. Reporters credited unless they request anonymity. We don't operate a paid bug bounty, but every responsible disclosure gets a public credit. Full policy above.
