Infrastructure at your Service

Morgan Patou

Encryption of shell scripts

In this blog, I will talk about the encryption of files and in particular the encryption of a shell script because that was my use case. Before starting, some people may say/think that you shouldn’t encrypt any scripts and I globally agree with that BUT I still think that there might be some exceptions. I will not debate this further but I found the encryption subject very interesting so I thought I would write a small blog with my thoughts.

 

Encryption?

So, when we talk about encryption, what is it exactly? There are actually two not-so-different concepts that people often mix up: encryption and obfuscation. The encryption is a technique to keep an information confidential by changing its form, which becomes unreadable. The obfuscation, on the other hand, refers to the protection of something by trying to hide it, convert it into something more difficult to read but it’s not completely unreadable. The main difference is that if you know what technique was used to encrypt something, you cannot decrypt it without the key while you can remove the obfuscation if you know how it was done.

The reason why I’m including this small paragraph in this blog is because when I was searching for a way to encrypt a shell script in Linux, I read a LOT of blogs and websites that just got it wrong… The problem with encrypted shell scripts is that at some points, the Operating System will need to know which commands should be executed. So, at some point, it will need to be decrypted.

 

Shell script

So, let’s start with the creation a test shell script that I will use for the rest of this blog. I’m creating a small, very simple, test script which contains a non-encrypted password that I need to enter correctly in order to get an exit code of 0. If the password is wrong, after 3 tries, I should get an exit code of 1. Please note that if the shell script contains interactions, then you need to use the redirection from tty (“< /dev/tty”) like I did in my example.

Below I’m displaying the content of this script and using it, without encryption, to show you the output. Please note that in my scripts, I included colors (green for INFO and OK, yellow for WARN and red for ERROR messages) which aren’t displayed in the blog… Sorry about that but I can’t add colors to the blog unfortunately!

[morgan@linux_server_01 ~]$ cat test_script.sh
#!/bin/bash
#
# File: test_script.sh
# Purpose: Shell script to test the encryption solutions
# Author: Morgan Patou (dbi services)
# Version: 1.0 29-Jul-2017
#
###################################################

### Defining colors & execution folder
red_c="33[31m"
yellow_c="33[33m"
green_c="33[32m"
end_c="33[m"
script_folder=`which ${0}`
script_folder=`dirname ${script_folder}`

### Verifying password
script_password="TestPassw0rd"
echo
echo -e "${green_c}INFO${end_c} - This file is a test script to test the encryption solutions."
echo -e "${green_c}INFO${end_c} - Entering the correct password will return an exit code of 0."
echo -e "${yellow_c}WARN${end_c} - Entering the wrong password will return an exit code of 1."
echo
retry_count=0
retry_max=3
while [ "${retry_count}" -lt "${retry_max}" ]; do
  echo
  read -p "  ----> Please enter the password to execute this script: " entered_password < /dev/tty
  if [[ "${entered_password}" == "${script_password}" ]]; then
    echo -e "${green_c}OK${end_c} - The password entered is the correct one."
    exit 0
  else
    echo -e "${yellow_c}WARN${end_c} - The password entered isn't the correct one. Please try again."
    retry_count=`expr ${retry_count} + 1`
  fi
done

echo -e "${red_c}ERROR${end_c} - Too many failed attempts. Exiting."
exit 1

[morgan@linux_server_01 ~]$
[morgan@linux_server_01 ~]$ chmod 700 test_script.sh
[morgan@linux_server_01 ~]$
[morgan@linux_server_01 ~]$ ./test_script.sh

INFO - This file is a test script to test the encryption solutions.
INFO - Entering the correct password will return an exit code of 0.
WARN - Entering the wrong password will return an exit code of 1.


  ----> Please enter the password to execute this script: Password1
WARN - The password entered isn't the correct one. Please try again.

  ----> Please enter the password to execute this script: Password2
WARN - The password entered isn't the correct one. Please try again.

  ----> Please enter the password to execute this script: Password3
WARN - The password entered isn't the correct one. Please try again.
ERROR - Too many failed attempts. Exiting.
[morgan@linux_server_01 ~]$
[morgan@linux_server_01 ~]$ echo $?
1
[morgan@linux_server_01 ~]$
[morgan@linux_server_01 ~]$ ./test_script.sh

INFO - This file is a test script to test the encryption solutions.
INFO - Entering the correct password will return an exit code of 0.
WARN - Entering the wrong password will return an exit code of 1.


  ----> Please enter the password to execute this script: TestPassw0rd
OK - The password entered is the correct one.
[morgan@linux_server_01 ~]$
[morgan@linux_server_01 ~]$ echo $?
0
[morgan@linux_server_01 ~]$

 

As you can see above, the script is doing what I expect it to do so that’s fine.

 

SHc?

So, what is SHc? Is it really a way to encrypt your shell scripts?

Simple answer: I would NOT use SHc for that. I don’t have anything against SHc, this is actually a utility that might be useful but from my point of view, it’s clearly not a good solution for encrypting a shell script.

 

SHc is a utility (check its website) that – from a shell script – will create a C source code which represents it using a RC4 algorithm. This C source code contains a random structure as well as the decryption method. Then it is compiled to create a binary file. The problem with SHc is that the binary file contains the original shell script (encrypted) but also the decryption materials because this is needed to execute it. So, let’s install this utility:

[morgan@linux_server_01 ~]$ wget http://www.datsi.fi.upm.es/~frosal/sources/shc-3.8.9b.tgz
--2017-07-29 14:10:14--  http://www.datsi.fi.upm.es/~frosal/sources/shc-3.8.9b.tgz
Resolving www.datsi.fi.upm.es... 138.100.9.22
Connecting to www.datsi.fi.upm.es|138.100.9.22|:80... connected.
Proxy request sent, awaiting response... 200 OK
Length: 20687 (20K) [application/x-gzip]
Saving to: “shc-3.8.9b.tgz”

100%[===================================================================>] 20,687      --.-K/s   in 0.004s

2017-07-29 14:10:14 (5.37 MB/s) - “shc-3.8.9b.tgz” saved [20687/20687]

[morgan@linux_server_01 ~]$
[morgan@linux_server_01 ~]$ tar -xvzf shc-3.8.9b.tgz
shc-3.8.9b/CHANGES
shc-3.8.9b/Copying
shc-3.8.9b/match
shc-3.8.9b/pru.sh
shc-3.8.9b/shc-3.8.9b.c
shc-3.8.9b/shc.c
shc-3.8.9b/shc.1
shc-3.8.9b/shc.README
shc-3.8.9b/shc.html
shc-3.8.9b/test.bash
shc-3.8.9b/test.csh
shc-3.8.9b/test.ksh
shc-3.8.9b/makefile
shc-3.8.9b/testit
[morgan@linux_server_01 ~]$
[morgan@linux_server_01 ~]$ cd shc-3.8.9b/
[morgan@linux_server_01 shc-3.8.9b]$
[morgan@linux_server_01 shc-3.8.9b]$ make
cc -Wall  shc.c -o shc
***     Do you want to probe shc with a test script?
***     Please try...   make test
[morgan@linux_server_01 shc-3.8.9b]$

 

At this point, I only built the utility locally because I will be removing it shortly. Now, let’s “encrypt” the file using shc:

[morgan@linux_server_01 shc-3.8.9b]$ cp ../test_script.sh ./
[morgan@linux_server_01 shc-3.8.9b]$
[morgan@linux_server_01 shc-3.8.9b]$ ls test_script*
test_script.sh
[morgan@linux_server_01 shc-3.8.9b]$
[morgan@linux_server_01 shc-3.8.9b]$ ./shc -f test_script.sh
[morgan@linux_server_01 shc-3.8.9b]$
[morgan@linux_server_01 shc-3.8.9b]$ ls test_script*
test_script.sh  test_script.sh.x  test_script.sh.x.c
[morgan@linux_server_01 shc-3.8.9b]$
[morgan@linux_server_01 shc-3.8.9b]$ # Removing the C source code and original script
[morgan@linux_server_01 shc-3.8.9b]$ rm test_script.sh test_script.sh.x.c
[morgan@linux_server_01 shc-3.8.9b]$
[morgan@linux_server_01 shc-3.8.9b]$ # Renaming the "encrypted" file to .bin
[morgan@linux_server_01 shc-3.8.9b]$ mv test_script.sh.x test_script.bin
[morgan@linux_server_01 shc-3.8.9b]$
[morgan@linux_server_01 shc-3.8.9b]$ ls test_script*
test_script.bin
[morgan@linux_server_01 shc-3.8.9b]$

 

So above, I used shc and it created two files:

  • test_script.sh.x => This is the C compiled file which can then be executed. I renamed it to test_script.bin to really see the differences between the files
  • test_script.sh.x.c => This is the C source code which I removed since I don’t need it

 

At this point, if you try to view the content of the .bin file (previously test_script.sh.x), you will not be able to see the real content and you will see something that looks like a real .bin executable. To see its “binary” content, you can use the “strings” command which will display all readable (printable) words from the file and you will see that we cannot see the password or any commands from the original shell script. So, at first look, that seems to be a success, the shell script seems to be encrypted:

[morgan@linux_server_01 shc-3.8.9b]$ strings test_script.bin
/lib64/ld-linux-x86-64.so.2
__gmon_start__
libc.so.6
sprintf
perror
__isoc99_sscanf
fork
...
EcNB
,qIB`^
gLSI
U)L&
fX4u
j[5,
[morgan@linux_server_01 shc-3.8.9b]$
[morgan@linux_server_01 shc-3.8.9b]$
[morgan@linux_server_01 shc-3.8.9b]$ ./test_script.bin
 
INFO - This file is a test script to test the encryption solutions.
INFO - Entering the correct password will return an exit code of 0.
WARN - Entering the wrong password will return an exit code of 1.
 
 
  ----> Please enter the password to execute this script: Password1
WARN - The password entered isn't the correct one. Please try again.
 
  ----> Please enter the password to execute this script: TestPassw0rd
OK - The password entered is the correct one.
[morgan@linux_server_01 shc-3.8.9b]$
[morgan@linux_server_01 shc-3.8.9b]$ echo $?
0
[morgan@linux_server_01 shc-3.8.9b]$

 

So, what is the issue with SHc? Why am I saying that this isn’t a suitable encryption solution? Well that’s because you can always just strip the text out of the file or substitute the normal shell to another one in order to grab the text when it runs. There are also several projects on GitHub (like UnSHc) which will allow you to retrieve the original content of the shell script and to revert the changes done by SHc. This works because the content of the bin file is predictable and can be analysed in order to decrypt it. So, that’s not really a good solution I would say.

There are a lot of ways to see the original content of a file encrypted by SHc. One of them being just checking the list of processes and you will see that the original shell script is actually passed as a parameter to the binary file in this format: ./test_script.bin -c   <<<a lot of spaces>>>    <<<script_unencrypted_newlines_separated_by_’?’>>>. See below my example:

[morgan@linux_server_01 shc-3.8.9b]$ ./test_script.bin& (ps -ef | grep "test_script.bin" | grep -v grep > test_decrypt_content.sh)
[morgan@linux_server_01 shc-3.8.9b]$
[morgan@linux_server_01 shc-3.8.9b]$
[morgan@linux_server_01 shc-3.8.9b]$ # The real file is in 1 line only. For readability on the blog, I split that in several lines 
[morgan@linux_server_01 shc-3.8.9b]$ cat test_decrypt_content.sh
405532   20125  2024  0 16:18 pts/3    00:00:00 ./test_script.bin -c                                                                              
                                                                                                                                                  
                                                                                                                                                  
                                                                                                                                                  
                                                                                                                                                  
                                                                                                                                                  
#!/bin/bash?#?# File: test_script.sh?# Purpose: Shell script to test the encryption solutions?# Author: Morgan Patou (dbi services)?# Version: 1.029-Jul-2017?
#?###################################################??### Defining colors & execution folder?red_c="33[31m"?yellow_c="33[33m"?green_c="33[32m"?end_c="\
033[m"?script_folder=`which ${0}`?script_folder=`dirname ${script_folder}`??### Verifying password?script_password="TestPassw0rd"?echo?echo -e "${green_c}INFO
${end_c} - This file is a test script to test the encryption solutions."?echo -e "${green_c}INFO${end_c} - Entering the correct password will return an exit c
ode of 0."?echo -e "${yellow_c}WARN${end_c} - Entering the wrong password will return an exit code of 1."?echo?retry_count=0?retry_max=3?while [ "${retry_coun
t}" -lt "${retry_max}" ]; do?  echo?  read -p "  ----> Please enter the password to execute this script: " entered_password < /dev/tty?  if [[ "${entered_pass
word}" == "${script_password}" ]]; then?    echo?    echo -e "${green_c}OK${end_c} - The password entered is the correct one."?    exit 0?  else?    echo -e "
${yellow_c}WARN${end_c} - The password entered isn't the correct one. Please try again."?    retry_count=`expr ${retry_count} + 1`?  fi?done??echo -e "${red_c
}ERROR${end_c} - Too many failed attempts. Exiting."?exit 1?? ./test_script.bin
[morgan@linux_server_01 shc-3.8.9b]$

 

As you can see above, the whole content of the original shell script is displayed in the “ps” command. Not very hard to find out what is the original content… With a pretty simple command, we can even reformat the original file:

[morgan@linux_server_01 shc-3.8.9b]$ sed -i -e 's,?,\n,g' -e 's,.*     [[:space:]]*,,' test_decrypt_content.sh
[morgan@linux_server_01 shc-3.8.9b]$
[morgan@linux_server_01 shc-3.8.9b]$ cat test_decrypt_content.sh
#!/bin/bash
#
# File: test_script.sh
# Purpose: Shell script to test the encryption solutions
# Author: Morgan Patou (dbi services)
# Version: 1.0 29-Jul-2017
#
###################################################

### Defining colors & execution folder
red_c="33[31m"
yellow_c="33[33m"
green_c="33[32m"
end_c="33[m"
script_folder=`which ${0}`
script_folder=`dirname ${script_folder}`

### Verifying password
script_password="TestPassw0rd"
echo
echo -e "${green_c}INFO${end_c} - This file is a test script to test the encryption solutions."
echo -e "${green_c}INFO${end_c} - Entering the correct password will return an exit code of 0."
echo -e "${yellow_c}WARN${end_c} - Entering the wrong password will return an exit code of 1."
echo
retry_count=0
retry_max=3
while [ "${retry_count}" -lt "${retry_max}" ]; do
  echo
  read -p "  ----> Please enter the password to execute this script: " entered_password < /dev/tty
  if [[ "${entered_password}" == "${script_password}" ]]; then
    echo -e "${green_c}OK${end_c} - The password entered is the correct one."
    exit 0
  else
    echo -e "${yellow_c}WARN${end_c} - The password entered isn't the correct one. Please try again."
    retry_count=`expr ${retry_count} + 1`
  fi
done

echo -e "${red_c}ERROR${end_c} - Too many failed attempts. Exiting."
exit 1

 ./test_script.bin
[morgan@linux_server_01 shc-3.8.9b]$

 

And voila, with two very simple command, it is possible to retrieve the original file with its original formatting too (just remove the final line which is the call of the script itself). Please also note that if the original script contains some ‘?’ characters, they will also be replaced with a newline but that’s spotted pretty easily. With Shell options, you can also just ask your shell to print all commands that it executes so again without even additional commands you can see the content of the binary file.

 

What solution then?

For this section, I will re-use the same un-encrypted shell script (test_script.sh). So, what can be done to really protect a shell script? Well there are no perfect solutions because like I said previously, at some point, the OS will need to know which commands should be executed and for that purpose, it needs to be decrypted. There are a few ways to encrypt a shell script but the simplest would probably be to use openssl because it’s quick, it’s free and it’s portable without having to install anything since openssl is usually already there on Linux. Also, it allows you to choose the encryption algorithm you want to use. To encrypt the base file, I created a small shell script which I named “encrypt_script.sh”. This shell script takes an input file which is the un-encrypted original file and a second parameter is the output file which will contain the encryption:

[morgan@linux_server_01 shc-3.8.9b]$ cd ..
[morgan@linux_server_01 ~]$
[morgan@linux_server_01 ~]$ ls
encrypt_script.sh shc-3.8.9b  shc-3.8.9b.tgz  test_script.sh
[morgan@linux_server_01 ~]$
[morgan@linux_server_01 ~]$ rm -rf shc-3.8.9b*
[morgan@linux_server_01 ~]$
[morgan@linux_server_01 ~]$ cat encrypt_script.sh
#!/bin/bash
#
# File: encrypt_script.sh
# Purpose: Script to encrypt a shell script and provide the framework around it for execution
# Author: Morgan Patou (dbi services)
# Version: 1.0 26/03/2016
#
###################################################

### Defining colors & execution folder
green_c="33[32m"
end_c="33[m"
script_folder="`which ${0}`"
script_folder="`dirname ${script_folder}`"
encryption="aes-256-cbc"

### Help
if [[ ${#} != 2 ]]; then
  echo -e "`basename ${0}`: usage: ${green_c}`basename ${0}`${end_c} <${green_c}shell_script_to_encrypt${end_c}> <${green_c}encrypted_script${end_c}>"
  echo -e "\t<${green_c}shell_script_to_encrypt${end_c}>  : Name of the shell script to encrypt. Must be placed under '${green_c}${script_folder}${end_c}'"
  echo -e "\t<${green_c}encrypted_script${end_c}>         : Name of the encrypted script to be created. The file will be created under '${green_c}${script_folder}${end_c}'"
  echo
  exit 1
else
  shell_script_to_encrypt="${1}"
  encrypted_script="${2}"
fi

### Encrypting the input file into a temp file
openssl enc -e -${encryption} -a -A -in "${script_folder}/${shell_script_to_encrypt}" > "${script_folder}/${shell_script_to_encrypt}.txt"

### Creating the output script with the requested name and containing the content to decrypt it
echo "#!/bin/bash" > "${script_folder}/${encrypted_script}"
echo "# " >> "${script_folder}/${encrypted_script}"
echo "# File: ${encrypted_script}" >> "${script_folder}/${encrypted_script}"
echo "# Purpose: Script containing the encrypted version of ${shell_script_to_encrypt} (this file has been generated using `basename ${0}`)" >> "${script_folder}/${encrypted_script}"
echo "# Author: Morgan Patou (dbi services)" >> "${script_folder}/${encrypted_script}"
echo "# Version: 1.0 26/03/2016" >> "${script_folder}/${encrypted_script}"
echo "# " >> "${script_folder}/${encrypted_script}"
echo "###################################################" >> "${script_folder}/${encrypted_script}"
echo "" >> "${script_folder}/${encrypted_script}"
echo "#Storing the encrypted script in a variable" >> "${script_folder}/${encrypted_script}"
echo "encrypted_script=\"`cat "${script_folder}/${shell_script_to_encrypt}.txt"`\"" >> "${script_folder}/${encrypted_script}"
echo "" >> "${script_folder}/${encrypted_script}"
echo "#Decrypting the encrypted script and executing it" >> "${script_folder}/${encrypted_script}"
echo "echo \"\${encrypted_script}\" | openssl enc -d -${encryption} -a -A | sh -" >> "${script_folder}/${encrypted_script}"
echo "" >> "${script_folder}/${encrypted_script}"

### Removing the temp file and setting the output file to executable
rm "${script_folder}/${shell_script_to_encrypt}.txt"
chmod 700 "${script_folder}/${encrypted_script}"
[morgan@linux_server_01 ~]$
[morgan@linux_server_01 ~]$
[morgan@linux_server_01 ~]$
[morgan@linux_server_01 ~]$
[morgan@linux_server_01 ~]$ ./encrypt_script.sh
encrypt_script.sh: usage: encrypt_script.sh <shell_script_to_encrypt> <encrypted_script>
        <shell_script_to_encrypt>  : Name of the shell script to encrypt. Must be placed under '/home/morgan'
        <encrypted_script>         : Name of the encrypted script to be created. The file will be created under '/home/morgan'

[morgan@linux_server_01 ~]$
[morgan@linux_server_01 ~]$ ./encrypt_script.sh test_script.sh encrypted_test_script.sh
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
[morgan@linux_server_01 ~]$
[morgan@linux_server_01 ~]$
[morgan@linux_server_01 ~]$ # The real variable "encrypted_script" below is in 1 line only. For readability, I split that in several lines
[morgan@linux_server_01 ~]$ cat encrypted_test_script.sh
#!/bin/bash
#
# File: encrypted_test_script.sh
# Purpose: Script containing the encrypted version of test_script.sh (this file has been generated using encrypt_script.sh)
# Author: Morgan Patou
# Version: 1.0 26/03/2016
#
###################################################

#Storing the encrypted script in a variable
encrypted_script="U2FsdGVkX18QaIvqrQ27FQE8fNhJi2Izi9zRHwANEEt4WJkA3gQzOkrPOF+JYpIEFuvjweL2Eq02vr0MhkjMXIGXYlLipQ7U8TG912/9LdUOYlEx7YV4/1g9enBfZc2gBRHcGL6XW7oMih3wexGNrrq3J5Ys+mDgrmKDLJ75aU6v87iIPFi2ZfFx2NchAc4tHHDQ8gcZFLMByCkWwPZoicx8ODgUstNLRHKTMA7nj/v0fig1BLygQUQpEFjvNTScK6MT01aby8DvNuka0t0hjavTcP8gBEFVC5GQk3Ds/FVQBDqCdltxIhtnHGgbetloKHVwieSw+OsfKyKj9fuOKJ4RRCb7pNq42FHtiwUHhy2FkpxbkJxLgT3uMJopqJy3dU8tlf3nRqGQbm1eNZsf+uWLxgmd7Eq5rsywZjwjbsq1oIeCGzEq4k6WNCbMi3O1RIkKmJ6eR1q8pZcmLT6sEGJUlO3PfkD7ONcO4Ta48zCi7Rsi1PNJouGyNK8NrD34pbEKwu9MTsYTyNzKHCScDjt8QQne6NB+3ODQM26/6SAUM5gd9WmzZMByW6gFyKmkXhRxHsWDlNN5SJDbdd5w4r7+guqnLo/31hZSC2GZLSbQzrmz5FMKoriSuSxmZITQMV5yMp1IaYzJGxTECyl2V5g89aiOLqhehlM6c4uDfkPYZtZlmPX1JVfTTTy7dUeu08VUQqzvU2qdJV4g2rKJQtMw7py4B4a8E0+ShQgpp/Zi6yvKDxlzx9oZC+Gjtegg7TEsOx4kiefzSr+s3Vy/5puBza1vFBG51ZygyDb+p/ptCrmwUClY9qqR7bm+Wd9uRsG41XxReI5WXyZt1t/GZT0x5EkYQ5tn1DKQMc33G1f11yYTSZinwbbO49qL5xw0ZCSUB5AKTBye+b3rHTNKIhkd16P3+rkUN5fjMgUgEo0ojhh99PmwzszVJYdZQdliyHXbn1PJNMa4BLebmcH8PP6uzz8IDaMLrhHkFGTlkTQY+DoMPCb5FXztth3+FVry/Z2AdFDKogB7rXFfWeGWfQ4F+nZnvcqzasZTL9vWLGiFYCovra29ul5pHU5xLeTxi6FSC5naoT2yj0KY2jaRyPc4MKhb5T6DU/K/Wgj/0TNIS0TL/sbReprFtU0f/Kj6z/tzsIucBb0hN9QFIlOBzDfS0dz5xYoMlJ4Es22iMELiNhvF/zv6+j7IE0QdxhfcnJbYZAA9/ehL2osABkSCOBwUH8dkC1CSAvjgYB/WZSGAWpQhrARWTIJiwEYeMMh1+lRmR9qk4OrWzzJrgLvKOrYTjeAMmXZrRFt8vGQ5I7jiJN2VwET4zqm8pppY4eptK9Uaac2sEunGoxg0eBhuWY6dYgDeW6RMa3kK4wJ3DafJLlhmrhpxULEI8Owo8SzJjHpR+UrhrK3hPBw/Zy30El6MCIJ6pJNgeETpF4naK/EZqqKzrxQ8uSAwLDIucVVtOEdV+4lIcISPV1jza2O4eMu/1W39jSs6sA1ORb8H/taSkYvO80iygERCcYCxNBHZEW3mWRzGGWwojpQjmKaALCHYxprmXdKaL8aDoV+43V+90UO++gfamW8kWxzVeV7R/VoyhQQ1R+tem5eGZSsRpMEL7k1p7YIwyg3Yxt3bha22DEDf0UUzzOwakpnK09gzCnxH3RUSSNnutEkTSw9I22IZXJRkrHydARauj7S0Fd9MDRPgBRloiELVNM2uVNyCdFtMheg8q0wlF+GKLvWyzQ=="

#Decrypting the encrypted script and executing it
echo "${encrypted_script}" | openssl enc -d -aes-256-cbc -a -A | sh -

[morgan@linux_server_01 ~]$

 

As you can see above, when encrypting the shell script, you will have to enter an encryption password. This is NOT the password contained in the original shell script. This is a new password that you define and that you will need to remember because without it, you will NOT be able to execute it properly. Also, you can see that the file “encrypted_test_script.sh” contains the variable “encrypted_script”. This variable is the encrypted string representing the original shell script.

/!\ Please note that if you replace “sh -” at the end of the file with “cat” for example, then upon execution, you will see the content of the original shell script. That suppose that you know the password to decrypt it, of course, so that’s still secure. However, it would be easy for someone with bad intentions to change the file encrypted_script.sh so that when you execute it and provide the right password, it in fact send it via email or something like that. I will not describe it but it would be possible to protect you against that by using signatures for example so you are sure the content of the shell script is the one you generated and it hasn’t been tampered.

So like I said before, no perfect solutions… Or at least no easy solutions.

 

To execute the encrypted script, enter the encryption password and then the script is executed automatically:

[morgan@linux_server_01 ~]$ ./encrypted_test_script.sh
enter aes-256-cbc decryption password:

INFO - This file is a test script to test the encryption solutions.
INFO - Entering the correct password will return an exit code of 0.
WARN - Entering the wrong password will return an exit code of 1.


  ----> Please enter the password to execute this script: Password1
WARN - The password entered isn't the correct one. Please try again.

  ----> Please enter the password to execute this script: TestPassw0rd
OK - The password entered is the correct one.
[morgan@linux_server_01 ~]$

 

Complicated topic, isn’t it? I’m not a security expert but I like these kind of subjects, so… If you have other ideas or thoughts, don’t hesitate to share!

 

 

Leave a Reply


3 + = five

Morgan Patou
Morgan Patou

Senior Consultant