Is an Encrypted Zip Backup of My Seed Safe in the Cloud?

Short answer

Much safer than plaintext on cloud storage, but far less safe than offline physical backup. Security depends entirely on password strength: 7z and VeraCrypt use AES-256, which is mathematically sound, but once an attacker has the encrypted file, they can brute-force your password offline indefinitely — no rate limiting, no login throttle. If your password is "birthday + name," it falls in days. Acceptable strength is a 20+ character random string, and that password cannot live on the same cloud.

The "offline brute-force" reality

Many people's sense of security with encrypted archives comes from the wrong intuition: "without the password, nothing opens." This is true if your password is strong. But most people's passwords are not 256-bit random — they're 12-16 character mixes of common words and birthday digits.

The key concept is offline brute-force. While the encrypted file sits on Google Drive, an attacker needs to compromise the Google account first — and Google has 2FA, rate-limiting, and unfamiliar-location alerts. But once an attacker phishes the Google credentials or hijacks a cookie (as happened in the LastPass 2023 breach), they immediately download all suspicious files locally.

After local download, cracking is pure compute. No throttling, no alerts. A single RTX 4090 running hashcat tries millions to tens of millions of password candidates per second. A weak password falls in hours.

What "sufficiently strong" actually means

For 7z AES-256 to be resistant to a state-actor-level attacker: 20+ character random string, drawn from a 70-character alphabet. That gives roughly 122 bits of entropy. Memorizing this is impractical for most people — and writing it down means you now need to protect two things. The encrypted-archive approach effectively reduces to the same problem you started with.

The recommendation

If you must use cloud storage as one tier of backup: use VeraCrypt with a passphrase generated as a Diceware sequence of 7+ words. Do not store the passphrase on the same cloud. Store it on a separate device, ideally on paper or steel in a different physical location. For most US holders, this is more operational complexity than steel-plus-safe.

Further reading: Five storage methods.