Purpose: This blog entry will explain how to encrypt a shell script on your Linux or a Unix based system. Although there might be other ways to encrypt your shell script I found this one the most easiest to use. We will encrypt the script using the shc utility. I have been using this utility since last 3 years and it works great in situations where you want users to execute the shell script but at the same time you don’t want them to see the source code of the shell script. So let’s get started…
Step 1: Download or obtain the source
Luckily Debian Etch has “.deb” package for the shc utility so we will use it. On a Debian Etch system do:
# apt-get update;
# apt-get install shc
Now go to step 3 if you are on a Debian Etch system. If you are on a Lenny system then follow step 2.
If you are on Debian Lenny system (chances are very high) then you will need to download the “.deb” file from Debian Etch repos. You either download it from here or you can give the following command:
# apt-get update; apt-get install wget
# wget http://http.us.debian.org/debian/pool/main/s/shc/shc_3.8.6-2_i386.deb
This will download the file named shc_3.8.6-2_i386.deb into the directory from where you gave the above command.
If you are on a system other than Debian, you can download the tarball from here or by giving the command:
fedora# wget http://www.datsi.fi.upm.es/%7Efrosal/sources/shc-3.8.6.tgz
Step 2: Install the “.deb” file (only for users on Debian Lenny or Debian Sid)
Once you have downloaded the “.deb” file on your Linux system, install it using dpkg command:
# dpkg -i <file-you-downloaded-from-step1>
# dpkg -i shc_3.8.6-2_i386.deb
You only need to do the above on a Lenny system. If you are on a Debian Etch system it gets installed automatically.
Step 3: Encrypt your shell script
Now get hold of your shell script that you would like to encrypt. In this example, we will use a bash shell script called cleanlog.sh whose contents are as follow:
echo "Starting to clear Log files..."
find ./ -type f -print >> list.txt
cat list.txt | while read a_line
cat /dev/null > $a_line;
echo "Log files cleared!"
Now give the following command to encrypt your shell script:
# shc -f cleanlog.sh
You will noticed that the above command creates two files:
# ls -l
cleanlog.sh.x – is the encrypted binary file that we will use
cleanlog.sh.x.c – is the C source code file.
Basically the shc command coverts your shell script into a C program first and then it compiles the C program into a binary using an encryption algorithm:
Shell Script-> C source code Program-> Binary executable
You can delete the cleanlog.sh.x.c file and your original shell script, cleanlog.sh, safely.
Step 4: Execute your encrypted shell script
Now you are ready to execute your shell script:
Starting to clear Log files...
Log files cleared!
1. There are some neat features that you can enable by passing some options to the shc command. For example do this:
# shc -v -r -f cleanlog.sh
shc [-x]=exec '%s' "$@"
shc: cc cleanlog.sh.x.c -o cleanlog.sh.x
shc: strip cleanlog.sh.x
shc: chmod go-r cleanlog.sh.x
The above options:
“-f” – Tells that file name follows and is to be given every time.
“-v” – Tells shc command to be verboase
“-r” – Tells shc command to relax the security measure i.e. make a redistributable binary which executes on different systems running the same operating system (from man page).
So for example, if you try to execute the binary generated from Step 4 (i.e. no giving the “-r” option) on a different Linux system (by copying the executable from the system on which it was compiled to another Linux system) you won’t be able to execute it and you will get an error message like this:
Please contact your provider
2. Furthermore, there are other options also like following which can try:
-e date Expiration date in dd/mm/yyyy format [none]-m message message to display upon expiration ["Please contact your provider"]
# shc -v -r -e 01/17/2009 -m "Your program has expired" -f cleanlog.sh
3. If you get the following error messages upon give the above command:
# shc -f cleanlog.sh
cleanlog.sh.x.c:108:22: error: sys/stat.h: No such file or directory
cleanlog.sh.x.c:109:23: error: sys/types.h: No such file or directory
cleanlog.sh.x.c:111:19: error: errno.h: No such file or directory
cleanlog.sh.x.c:112:19: error: stdio.h: No such file or directory
cleanlog.sh.x.c:113:20: error: stdlib.h: No such file or directory
cleanlog.sh.x.c:114:20: error: string.h: No such file or directory
cleanlog.sh.x.c:115:18: error: time.h: No such file or directory
cleanlog.sh.x.c:116:20: error: unistd.h: No such file or directory
cleanlog.sh.x.c: In function 'key_with_file':
cleanlog.sh.x.c:178: error: array type has incomplete element type
cleanlog.sh.x.c:179: error: array type has incomplete element type
cleanlog.sh.x.c:185: warning: incompatible implicit declaration of built-in function 'memset'
then give the following command:
# apt-get install gcc libc6-dev
Last but not the least. There is no guarantee that this utility will provide you a very strong security protection. Experienced users or hackers who have sufficient knowledge about “gdb” or other debugger tools can decrypt your shell script. Although it does provide a good started point to encrypt (hide) shell scripts from “regular” users if you are a system administrator.
That’s it folks. Enjoy encrypting your shell scripts.