Encrypting Shell Scripts

Author:

Do you have scripts that contain sensitive information like passwords
and you pretty much depend on file permissions to keep it secure? If
so, then that type of security is good provided you keep your system
secure and some user doesn’t have a “ps -ef” loop running in an attempt
to capture that sensitive info (though some applications mask passwords
in “ps” output). There is a program called “shc” that can be used to
add an extra layer of security to those shell scripts. SHC will encrypt
shell scripts using RC4 and make an executable binary out of the shell
script and run it as a normal shell script. This utility is great for
programs that require a password to either encrypt, decrypt, or require
a password that can be passed to a command line argument.

Download shc (http://www.datsi.fi.upm.es/~frosal/)
and untar it:

tar -xzvf shc-X.X.tgz
cd shc-X.X/
make
make install

A binary named “shc” will be created along with some test programs. Let’s give it a try.

Create a file called: script.sh and add the following contents:

############################### script.sh ##############################
#!/bin/sh

echo “I love This Article So much And This Site Too…”

############################### script.sh ##############################

Now run the command:

shc -f script.sh

The switch “-f” specifies the source script to encrypt. The above command will create two files: script.sh.x.c and script.sh.x.

The program “shc” creates C source code out of your shell script then encrypts it (script.sh.x.c). The encrypted shell script is: script.sh.x. Run that binary and see the output:

./script.sh.x
I love This Article So much And This Site Too…

Now copy the original “script.sh” file to a floppy
disk or some other system for backup or in case you need to edit it in
the future. Then, delete it from the server and delete the “script.sh.x.c” file it creates.

Neat feature

You can also specify a time limit on the shell script so that it will
no longer execute after a certain date and you can specify a custom
message to echo back to the user. Run this command on the “script.sh” file we created earlier in this tut:

shc -e 09/10/2004 -m “Dude it is too late to run this script.” -f script.sh
./script.sh.x

./script.sh.x has expired!
Dude it is too late to run this script.

In the above command the date October 9, 2004 is set as the expiration date (-e 09/10/2004) and the custom message was set to display to the user (-m “Dude it is too late to run this script.”) when the binary is executed. Note the date format is dd/mm/yyyy.

Check out the man pages for more info on “shc“. Remember that the binary
is only encrypted on the local system. If you encrypt a script that transmits
sensitive information in clear text across a network, you will need some other
encrypted communication channel to transmit that information.

Categories: articles/tutorials

Leave a Reply

Your email address will not be published. Required fields are marked *