Encrypt Shell Script on Linux using SHC

shc - Generic shell script compiler

SYNOPSIS
       shc [ -e date ] [ -m addr ] [ -i iopt ] [ -x cmnd ] [ -l lopt ] [ -o outfile ] [ -ABCDhUHvSr ] -f script

DESCRIPTION
       shc creates a stripped binary executable version of the script specified with -f on the command line.

       The  binary version will get a .x extension appended by default if outfile is not defined with [-o outfile] option and will usually be a bit larger in size than the original ascii code.  Generated C source code is saved in a file with the extension .x.c or in a file specified with an appropriate option.

       If you supply an expiration date with the -e option, the compiled binary will refuse to run after the date specified.  The message Please contact your provider will be displayed instead.  This message can be changed with the -m option.

       You can compile any kind of shell script, but you need to supply valid -i, -x, and -l options.

       The compiled binary will still be dependent on the shell specified in the first line of the shell code (i.e.  #!/bin/sh), thus shc does not create completely independent binaries.

       shc  itself is  not  a compiler such as cc, it rather encodes and encrypts a shell script and generates C source code with the added expiration capability.  It then uses the system compiler to compile a stripped binary that behaves exactly like the original script.  Upon execution, the compiled binary will decrypt and  execute  the  code  with  the  shell  -c
       option.  Unfortunately, it will not give you any speed improvement as a real C program would.

       shc's main purpose is to protect your shell scripts from modification or inspection.  You can use it if you wish to distribute your scripts but don't want them to be easily readable
       by other people.


Steps to encrypt the files

1) Install SHC on Linux.

I am using Linux 7 here

 yum install shc 
or 
download from https://centos.pkgs.org/7/okey-x86_64/shc-3.8.9-5.el7.centos.x86_64.rpm.html



2) Create the shell script which needs to be encrypted. I am using a sample script I have created for this example.

[himanshu@oel7 ~]$ cat order.sh
#!/bin/bash
menu1=pizaa
menu2=burger
echo $menu1
echo $menu2

[himanshu@oel7 ~]$ ./order.sh
pizaa
burger

3) Encrypt shell script using SHC.

[himanshu@oel7 ~]$ shc -f order.sh

Once encrypted 3 files would be created.

-rwxr-xr-x. 1 himanshu himanshu    62 Jul 21 20:40 order.sh
-rw-rw-r--  1 himanshu himanshu 17771 Oct 18 23:17 order.sh.x.c
-rwxrwxr-x  1 himanshu himanshu 11216 Oct 18 23:17 order.sh.x

order.sh is the original unencrypted shell script
order.sh.x is the encrypted shell script in binary format
order.sh.x.c is the C source code of the random.sh file. This C source code is compiled to create the above-encrypted order.sh.x file. The whole logic behind the shc is to convert the random.sh shell script to random.sh.x.c C program (and of course compile that to generate the random.sh.x executable)


[himanshu@oel7 ~]$ file  order.sh 
order.sh: Bourne-Again shell script, ASCII text executable
[himanshu@oel7 ~]$ file order.sh.x.c
order.sh.x.c: C source, ASCII text
[himanshu@oel7 ~]$ file order.sh.x
order.sh.x: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=469b3a7758b1b165130711853a80075b8c940c43, stripped


4) Run encrypted shell script.

[himanshu@oel7 ~]$ ./order.sh.x
pizaa
burger

Now for security, you can move the order.sh and order.sh.x.c to a safe location and use the only binary file.


Other cool features available with SHC are 

a) Specifying Expiration Date for Shell Script

Using shc you can also specify an expiration date. i.e After this expiration date when somebody tries to execute the shell script, they’ll get an error message.

Create a new encrypted shell script using “shc -e” option to specify an expiration date. The expiration date is specified in the dd/mm/yyyy format.

$ shc -e 17/10/2020 -f order.sh
In this example, if someone tries to execute the random.sh.x, after 31-Dec-2014, they’ll get a default expiration message as shown below.

[himanshu@oel7 bkp]$ shc -e 17/10/2020 -f order.sh
[himanshu@oel7 bkp]$ ls -ltr
total 36
-rwxr-xr-x. 1 himanshu himanshu    62 Jul 21 20:40 order.sh
-rw-rw-r--  1 himanshu himanshu 17972 Oct 18 23:29 order.sh.x.c
-rwxrwxr-x  1 himanshu himanshu 11256 Oct 18 23:29 order.sh.x
[himanshu@oel7 bkp]$ ./order.sh.x
./order.sh.x: has expired!
Please contact your provider

In case you want to Set a custom message to display, use below
$ shc -e 17/10/2020 -m "Contact support@funoracleapps.com for latest version of this script" -f order.sh

[himanshu@oel7 bkp]$ shc -e 17/10/2020 -m "Contact support@funoracleapps.com for latest version of this script" -f order.sh
[himanshu@oel7 bkp]$ ./order.sh.x
./order.sh.x: has expired!
Contact support@funoracleapps.com for latest version of this script


b) Create Redistributable Encrypted Shell Scripts

Apart from -e, and -m (for expiration), you can also use the following options:

-r will relax security to create a redistributable binary that executes on other systems that runs the same operating system as the one on which it was compiled.

-v is for verbose

$[himanshu@oel7 bkp]$ shc -v -r  -f order.sh
shc shll=bash
shc [-i]=-c
shc [-x]=exec '%s' "$@"
shc [-l]=
shc opts=
shc: cc   order.sh.x.c -o order.sh.x
shc: strip order.sh.x
shc: chmod ug=rwx,o=rx order.sh.x



If you like please follow and comment