Last updated on February 21, 2021 by Dan Nanni
Suppose you have written a bash shell script and you want to protect the content of the script while sharing it with others. For example, for whatever reason you don't want the shell script to be viewed for inspection and modified for re-distribution by others. Better yet, you want to set the expiration date on the script, so that the script may not be used beyond the set expiration date.
In this tutorial, I describe how you can encrypt your shell script with an open-source tool called
shc. Before demonstrating actual usage of
shc, let me explain how
shc works and clarify the role of
Billed as a "generic script compiler" by its author,
shc converts any shell script into a binary executable that behaves exactly like the original script. Unlike actual compilers like
shc does not translate the script's source code into lower-level machine language code. Instead, what
shc does is to generate a C code which contains the original shell script in an encrypted form, with added functionality for expiration handling. The generated C code is then compiled by
cc compiler into a binary executable.
shc-Encrypted Shell Script Secure?
The type of encryption used by
shc is a variant of RC4 stream cipher, which is already known to be insecure and prohibited for use in TLS. Besides, the adoption of RC4 in
shc is particularly weak due to the fact that an encryption key is carried inside the encrypted script itself. So relatively straightforward disassembling steps can reveal the encryption password and restore the original shell script. You are not supposed to rely on
shc to hide any confidential shell script from a determined adversary. Rather,
shc can be considered a shell script obfuscater which makes it hard for any non tech-savvy user to peak inside a shell script. You have been warned.
shc is available in the base repositories on most Linux distributions. So you can easily install it with the default package manager. However, I noticed that older versions of
shc have a bug which causes an
shc-encrypted script to consume 100% CPU. If you experience this problem, it is recommended to build the latest
shc (at least version 4.0.3) from the source, which seems to have fixed the bug.
shcon Ubuntu, Debian and Linux Mint
$ sudo apt install shc
shcon CentOS, RHEL or RHEL
On CentOS/RHEL, you need EPEL repository set up first.
$ sudo dnf install shc
shcon Arch Linux
For Arch Linux users, you can check out the AUR.
shcfrom the Source
If you encounter the 100% CPU problem with
shc, you can compile and install
shc from the source as follows.
$ git clone https://github.com/neurobin/shc.git $ git checkout 4.0.3 $ ./autogen.sh $ ./configure $ make $ sudo make install
It is straightforward to encrypt a shell script with
shc. Run the command in the following format. Optionally, you can add
-v (verbose) option to see what's going on.
shc -v -f <path/to/your/script>
In this example,
secret.sh is the original shell script you want to encrypt.
shc first generates a C code named
secret.sh.c which contains the encrypted shell script. This C code is finally compiled by
cc into a binary executable called
secret.sh.x. If you run
secret.sh.x, its execution behavior should be identical to that of
secret.sh, but its content cannot be viewable on a regular text editor.
shcto Set Expiration Date
If you want to set an expiration date on your script, you can use
-e dd/mm/yyyy option to specify the date. Also use
-m option to specify any custom message to show when the script is executed upon expiration.
shc -v -e <expiration-date> -m <message> -f <path/to/your/script>
In this example, I deliberately set the expiration date to a past date (January, 30 2021) for testing. As expected, when the encrypted script is invoked, the custom message is shown.
When you run a
shc-encrypted script, if the script does not produce any output and instead consumes 100% CPU, this is due to a known problem of an older version of
shc. You should build the latest version of
shc as described in this tutorial.
If you see the "shc: invalid first line in script" error, this is because your shell script is missing a "shebang" which indicates the absolute path of the shell interpreter (e.g., #!/bin/bash). The execution of
shc-generated binary still depends on the type of shell specified in the original script. Thus, in order for
shc to encrypt your shell script, you must include a shebang at the first line of the script.
In this tutorial, I demonstrate a shell script compiler called
shc which can be used to protect the content of your shell script. As clarified in the beginning though,
shc is not meant to be used as a security tool, but as an obfuscation tool. If you need a cryptographic solution to encrypt your shell script, you can use other encryption tools like GnuPG's symmetric key encryption.
While the idea of "encrypting" a shell script sounds neat, whether or not users would trust an encrypted shell script is another issue altogether. I myself would not dare to run an encrypted script on my computer unless I known and trust the author of the script. In that sense,
shc can be used under farely special circumstances (e.g., installation scripts from reputable vendors). I wonder your use cases if you have actually used
shc before. Feel free to share your story.
Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.