Last updated on February 21, 2021 by Dan Nanni
Suppose you have written a bash shell script and you want to protect the content of the script while sharing it with others. For example, for whatever reason you don't want the shell script to be viewed for inspection and modified for re-distribution by others. Better yet, you want to set the expiration date on the script, so that the script may not be used beyond the set expiration date.
In this tutorial, I describe how you can encrypt your shell script with an open-source tool called shc
. Before demonstrating actual usage of shc
, let me explain how shc
works and clarify the role of shc
.
shc
?Billed as a "generic script compiler" by its author, shc
converts any shell script into a binary executable that behaves exactly like the original script. Unlike actual compilers like gcc
, shc
does not translate the script's source code into lower-level machine language code. Instead, what shc
does is to generate a C code which contains the original shell script in an encrypted form, with added functionality for expiration handling. The generated C code is then compiled by cc
compiler into a binary executable.
shc
-Encrypted Shell Script Secure?The type of encryption used by shc
is a variant of RC4 stream cipher, which is already known to be insecure and prohibited for use in TLS. Besides, the adoption of RC4 in shc
is particularly weak due to the fact that an encryption key is carried inside the encrypted script itself. So relatively straightforward disassembling steps can reveal the encryption password and restore the original shell script. You are not supposed to rely on shc
to hide any confidential shell script from a determined adversary. Rather, shc
can be considered a shell script obfuscater which makes it hard for any non tech-savvy user to peak inside a shell script. You have been warned.
shc
on Linuxshc
is available in the base repositories on most Linux distributions. So you can easily install it with the default package manager. However, I noticed that older versions of shc
have a bug which causes an shc
-encrypted script to consume 100% CPU. If you experience this problem, it is recommended to build the latest shc
(at least version 4.0.3) from the source, which seems to have fixed the bug.
shc
on Ubuntu, Debian and Linux Mint$ sudo apt install shc
shc
on CentOS, RHEL or RHELOn CentOS/RHEL, you need EPEL repository set up first.
$ sudo dnf install shc
shc
on Arch LinuxFor Arch Linux users, you can check out the AUR.
shc
from the SourceIf you encounter the 100% CPU problem with shc
, you can compile and install shc
from the source as follows.
$ git clone https://github.com/neurobin/shc.git $ git checkout 4.0.3 $ ./autogen.sh $ ./configure $ make $ sudo make install
shc
It is straightforward to encrypt a shell script with shc
. Run the command in the following format. Optionally, you can add -v
(verbose) option to see what's going on.
shc
shc -v -f <path/to/your/script>
In this example, secret.sh
is the original shell script you want to encrypt. shc
first generates a C code named secret.sh.c
which contains the encrypted shell script. This C code is finally compiled by cc
into a binary executable called secret.sh.x
. If you run secret.sh.x
, its execution behavior should be identical to that of secret.sh
, but its content cannot be viewable on a regular text editor.
shc
to Set Expiration DateIf you want to set an expiration date on your script, you can use -e dd/mm/yyyy
option to specify the date. Also use -m
option to specify any custom message to show when the script is executed upon expiration.
shc -v -e <expiration-date> -m <message> -f <path/to/your/script>
In this example, I deliberately set the expiration date to a past date (January, 30 2021) for testing. As expected, when the encrypted script is invoked, the custom message is shown.
When you run a shc
-encrypted script, if the script does not produce any output and instead consumes 100% CPU, this is due to a known problem of an older version of shc
. You should build the latest version of shc
as described in this tutorial.
If you see the "shc: invalid first line in script" error, this is because your shell script is missing a "shebang" which indicates the absolute path of the shell interpreter (e.g., #!/bin/bash). The execution of shc
-generated binary still depends on the type of shell specified in the original script. Thus, in order for shc
to encrypt your shell script, you must include a shebang at the first line of the script.
In this tutorial, I demonstrate a shell script compiler called shc
which can be used to protect the content of your shell script. As clarified in the beginning though, shc
is not meant to be used as a security tool, but as an obfuscation tool. If you need a cryptographic solution to encrypt your shell script, you can use other encryption tools like GnuPG's symmetric key encryption.
While the idea of "encrypting" a shell script sounds neat, whether or not users would trust an encrypted shell script is another issue altogether. I myself would not dare to run an encrypted script on my computer unless I known and trust the author of the script. In that sense, shc
can be used under farely special circumstances (e.g., installation scripts from reputable vendors). I wonder your use cases if you have actually used shc
before. Feel free to share your story.
This website is made possible by minimal ads and your gracious donation via PayPal or credit card
Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.
Xmodulo © 2021 ‒ About ‒ Write for Us ‒ Feed ‒ Powered by DigitalOcean