Purpose: This blog entry will explain how to encrypt a shell script on your Linux or a Unix based system. Although there might be other ways to encrypt your shell script I found this one the most easiest to use. We will encrypt the script using the shc utility.  I have been using this utility since last 3 years and it works great in situations where you want users to execute the shell script but at the same time you don’t want them to see the source code of the shell script. So let’s get started…

Step 1: Download or obtain the source

Luckily Debian Etch has “.deb” package for the shc utility so we will use it.  On a Debian Etch system do:

# apt-get update;
# apt-get install shc

Now go to step 3 if you are on a Debian Etch system. If you are on a Lenny system then follow step 2.

If you are on Debian Lenny system (chances are very high) then you will need to download the “.deb” file from Debian Etch repos. You either download it from here or you can give the following command:

# apt-get update; apt-get install wget
# wget http://http.us.debian.org/debian/pool/main/s/shc/shc_3.8.6-2_i386.deb

This will download the file named  shc_3.8.6-2_i386.deb into the directory from where you gave the above command.

If you are on a system other than Debian, you can download the tarball from here or by giving the command:

fedora# wget http://www.datsi.fi.upm.es/%7Efrosal/sources/shc-3.8.6.tgz

Step 2:  Install the “.deb” file (only for users on Debian Lenny or Debian Sid)

Once you have downloaded the “.deb” file on your Linux system, install it using dpkg command:

# dpkg -i <file-you-downloaded-from-step1>
Example:
# dpkg -i shc_3.8.6-2_i386.deb

You only need to do the above on a Lenny system. If you are on a Debian Etch system it gets installed automatically.

Step 3: Encrypt your shell script

Now get hold of your shell script that you would like to encrypt. In this example, we will use a bash shell script called cleanlog.sh whose contents are as follow:

#!/bin/bash
echo "Starting to clear Log files..."
cd /var/log;
find ./ -type f -print >> list.txt
cat list.txt | while read a_line
do
cat /dev/null > $a_line;
done
cd;
echo "Log files cleared!"

Now give the following command to encrypt your shell script:

# shc -f cleanlog.sh

You will noticed that the above command creates two files:

# ls -l
cleanlog.sh.x.c
cleanlog.sh.x

cleanlog.sh.x – is the encrypted binary file that we will use

cleanlog.sh.x.c – is the C source code file.

Basically the shc command coverts your shell script into a C program first and then it compiles the C program into a binary using an encryption algorithm:

Shell Script-> C source code Program-> Binary executable

You can delete the cleanlog.sh.x.c file and your original shell script, cleanlog.sh, safely.

Step 4: Execute your encrypted shell script

Now you are ready to execute your shell script:

# ./cleanlog.sh
Starting to clear Log files...
Log files cleared!
#

Additional Notes

1. There are some neat features that you can enable by passing some options to the shc command. For example do this:

# shc -v -r -f cleanlog.sh
shc shll=bash
shc [-i]=-c
shc [-x]=exec '%s' "$@"
shc [-l]=
shc opts=
shc: cc  cleanlog.sh.x.c -o cleanlog.sh.x
shc: strip cleanlog.sh.x
shc: chmod go-r cleanlog.sh.x
#

The above options:

“-f” – Tells that file name follows and is to be given every time.

“-v” – Tells shc command to be verboase

“-r” – Tells shc command to relax the security measure i.e.  make a redistributable binary which executes on different systems running the same operating system (from man page).

So for example, if you try to execute the binary generated from Step 4 (i.e. no giving the “-r” option) on a different Linux system (by copying the executable from the system on which it was compiled to another Linux system) you won’t be able to execute it and you will get an error message like this:

system2# ./cleanlog.sh.x
./cleanlog.sh.x: ªÃ¨«ZÉÆ¥«ÞÀãì+
ï'ÛìHhas expired!
Please contact your provider
system2:~#

2. Furthermore, there are other options also like following which can try:

-e date
          Expiration date in dd/mm/yyyy format [none]
-m message
          message to display  upon  expiration  ["Please  contact
          your provider"]

# shc -v -r -e 01/17/2009 -m "Your program has expired" -f cleanlog.sh

3. If you get the following error messages upon give the above command:

# shc -f cleanlog.sh
cleanlog.sh.x.c:108:22: error: sys/stat.h: No such file or directory
cleanlog.sh.x.c:109:23: error: sys/types.h: No such file or directory
cleanlog.sh.x.c:111:19: error: errno.h: No such file or directory
cleanlog.sh.x.c:112:19: error: stdio.h: No such file or directory
cleanlog.sh.x.c:113:20: error: stdlib.h: No such file or directory
cleanlog.sh.x.c:114:20: error: string.h: No such file or directory
cleanlog.sh.x.c:115:18: error: time.h: No such file or directory
cleanlog.sh.x.c:116:20: error: unistd.h: No such file or directory
cleanlog.sh.x.c: In function 'key_with_file':
cleanlog.sh.x.c:178: error: array type has incomplete element type
cleanlog.sh.x.c:179: error: array type has incomplete element type
cleanlog.sh.x.c:185: warning: incompatible implicit declaration of built-in function 'memset'
.....................
.....................

then give the following command:

# apt-get install gcc libc6-dev

Last but not the least. There is no guarantee that this utility will provide you a very strong security protection. Experienced users or hackers who have sufficient knowledge about “gdb” or other debugger tools can decrypt your shell script. Although it does provide a good started point to encrypt (hide) shell scripts from  “regular” users if you are a system administrator.

That’s it folks. Enjoy encrypting your shell scripts.

Be Sociable, Share!