0

How can I encrypt my bash shell script on Linux server The shell script contain credentials of other servers for remote access. The problem is I do not want others with same level of access to view the shell script, modify it or get credentials. Is there any way to encrypt my shell script? My Initial research let me into Shell Encryption Utility known as SHC - Shell script Compiler.But tons of information is available on this utility that it can be circumvented what other choices do I have?

Ali Ahmad
  • 4,784
  • 8
  • 35
  • 61
  • 2
    Context of my question is different from one with which it is tagged as duplicate. – Ali Ahmad Apr 13 '14 at 14:21
  • The solution to your problem is to use a different method that doesn't require the credentials to be present on that server. You haven't given nearly enough information to help you with that. – Gilles 'SO- stop being evil' Apr 13 '14 at 18:48
  • @Gilles you got my problem I know any solution's which requires credentials to be present on same server will not work in my case. Instead of reinventing the wheel What alternatives do I have ? – Ali Ahmad Apr 13 '14 at 20:10
  • You should edit your question to describe a secure way of storing credentials rather than focusing on DRM. You should also further elaborate on what the same level of access is. There are ways to expose a credential only during use of which the first thought of mine is via an RPC call to a hardware USB token that requires you to touch it. – Jeff Ferland Apr 13 '14 at 20:39

2 Answers2

1

You could try to encrypt the script using standard methods and decode it on the fly by giving the secret key either directly or through a process. But, this would only help against attackers which have no permissions to modify any of your data or the programs you call, which especially means that they have neither root permission nor the same uid as you. And in this case a simple chmod go-rwx should already be enough protection.

So against users which have the same or even higher rights as you there is no protection.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • The idea of giving secret key through a process is bugging me. As most of my script are for automating daily routines so I cannot give them security key directly. – Ali Ahmad Apr 13 '14 at 16:39
  • 1
    But anybody with the same or higher rights can get the secret key from the process too - like I said, there is no protection in this case. – Steffen Ullrich Apr 13 '14 at 16:49
0

But tons of information is available on this utility that it can be circumvented what other choices do I have?

At the end of the day, all of this doesn't make any sense. The computer needs to execute it, therefore at some point in time all of the sensitive information will be somewhere in memory. With current day technology there is no way around it. Anything else is just obfuscation, which may make you feel secure, but probably doesn't meet your expectations.

What probably makes the most sense is to put credentials and other sensitive information into a file and make sure that the file can only be read by the script (i.e. the user executing the script). There are plenty of options to secure files on an operating system level (file permissions, user/groups, SELinux, etc.), which are probably good enough in most cases.

Karol Babioch
  • 1,247
  • 8
  • 10