How to encrypt a shell script

Last updated on February 21, 2021 by Dan Nanni

Suppose you have written a bash shell script and you want to protect the content of the script while sharing it with others. For example, for whatever reason you don't want the shell script to be viewed for inspection and modified for re-distribution by others. Better yet, you want to set the expiration date on the script, so that the script may not be used beyond the set expiration date.

In this tutorial, I describe how you can encrypt your shell script with an open-source tool called shc. Before demonstrating actual usage of shc, let me explain how shc works and clarify the role of shc.

What is shc?

Billed as a "generic script compiler" by its author, shc converts any shell script into a binary executable that behaves exactly like the original script. Unlike actual compilers like gcc, shc does not translate the script's source code into lower-level machine language code. Instead, what shc does is to generate a C code which contains the original shell script in an encrypted form, with added functionality for expiration handling. The generated C code is then compiled by cc compiler into a binary executable.

Is shc-Encrypted Shell Script Secure?

The type of encryption used by shc is a variant of RC4 stream cipher, which is already known to be insecure and prohibited for use in TLS. Besides, the adoption of RC4 in shc is particularly weak due to the fact that an encryption key is carried inside the encrypted script itself. So relatively straightforward disassembling steps can reveal the encryption password and restore the original shell script. You are not supposed to rely on shc to hide any confidential shell script from a determined adversary. Rather, shc can be considered a shell script obfuscater which makes it hard for any non tech-savvy user to peak inside a shell script. You have been warned.

Install shc on Linux

shc is available in the base repositories on most Linux distributions. So you can easily install it with the default package manager. However, I noticed that older versions of shc have a bug which causes an shc-encrypted script to consume 100% CPU. If you experience this problem, it is recommended to build the latest shc (at least version 4.0.3) from the source, which seems to have fixed the bug.

Install shc on Ubuntu, Debian and Linux Mint

$ sudo apt install shc

Install shc on CentOS, RHEL or RHEL

On CentOS/RHEL, you need EPEL repository set up first.

$ sudo dnf install shc

Install shc on Arch Linux

For Arch Linux users, you can check out the AUR.

Build shc from the Source

If you encounter the 100% CPU problem with shc, you can compile and install shc from the source as follows.

$ git clone https://github.com/neurobin/shc.git
$ git checkout 4.0.3
$ ./autogen.sh
$ ./configure
$ make
$ sudo make install

Encrypt a Shell Script with shc

It is straightforward to encrypt a shell script with shc. Run the command in the following format. Optionally, you can add -v (verbose) option to see what's going on.

Basic Usage of shc

shc -v -f <path/to/your/script>

In this example, secret.sh is the original shell script you want to encrypt. shc first generates a C code named secret.sh.c which contains the encrypted shell script. This C code is finally compiled by cc into a binary executable called secret.sh.x. If you run secret.sh.x, its execution behavior should be identical to that of secret.sh, but its content cannot be viewable on a regular text editor.

Usage of shc to Set Expiration Date

If you want to set an expiration date on your script, you can use -e dd/mm/yyyy option to specify the date. Also use -m option to specify any custom message to show when the script is executed upon expiration.

shc -v -e <expiration-date> -m <message> -f <path/to/your/script>

In this example, I deliberately set the expiration date to a past date (January, 30 2021) for testing. As expected, when the encrypted script is invoked, the custom message is shown.

Troubleshooting

1. 100% CPU is Consumed by an Encrypted Script

When you run a shc-encrypted script, if the script does not produce any output and instead consumes 100% CPU, this is due to a known problem of an older version of shc. You should build the latest version of shc as described in this tutorial.

2. Encryption Error: "shc: invalid first line in script"

If you see the "shc: invalid first line in script" error, this is because your shell script is missing a "shebang" which indicates the absolute path of the shell interpreter (e.g., #!/bin/bash). The execution of shc-generated binary still depends on the type of shell specified in the original script. Thus, in order for shc to encrypt your shell script, you must include a shebang at the first line of the script.

Summary

In this tutorial, I demonstrate a shell script compiler called shc which can be used to protect the content of your shell script. As clarified in the beginning though, shc is not meant to be used as a security tool, but as an obfuscation tool. If you need a cryptographic solution to encrypt your shell script, you can use other encryption tools like GnuPG's symmetric key encryption.

While the idea of "encrypting" a shell script sounds neat, whether or not users would trust an encrypted shell script is another issue altogether. I myself would not dare to run an encrypted script on my computer unless I known and trust the author of the script. In that sense, shc can be used under farely special circumstances (e.g., installation scripts from reputable vendors). I wonder your use cases if you have actually used shc before. Feel free to share your story.

Support Xmodulo

This website is made possible by minimal ads and your gracious donation via PayPal (Credit Card) or Bitcoin (1M161JGAkz3oaHNvTiPFjNYkeABox8rb4g).

Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.

Xmodulo © 2021 ‒ AboutWrite for UsFeed ‒ Powered by DigitalOcean