Think of a long time not updated blog, today in the group to see the discussion about shell script encryption things.
Think about it too, we are writing scripts sometimes configure the relevant account and password things, so as long as the permission can see the information, very insecure, there is no normal operation of the file encryption. The following two features are broadly available:
Encrypt files to prevent others from seeing what I wrote.
can be sensitive to hidden knowledge points, such as scripts involving users and passwords, such as MySQL
I deliberately searched, there are two ways to increase knowledge, so the verification, the process is as follows:
First Method (Gzexe): Based on ubuntu14.04
This type of encryption is not a very safe method, but it can be used for general encryption purposes. It is using the system comes with the Gzexe program, it not only encrypts, simultaneously compresses the file.
How to use: Gzexe file.sh it will back up the original unencrypted file as xx.sh~, while xx.sh becomes the encrypted file
[email protected]:~/test# lstest.sh[email protected]:~/test# cat test.sh #!/bin/ bashecho ' Date ' [email protected]:~/test# sh test.sh mon jul 17 15:08:01 hkt 2017[email protected]:~/test# gzexe test.sh test.sh: 25.0%[email protected]:~/test# lstest.sh test.sh~[email protected]:~/test# sh test.shMon Jul 17 15:08:14 HKT 2017[email protected]:~/test# sh test.sh~mon jul 17 15:08:18 hkt 2017[email protected]:~/test# cat test.sh~#!/bin/bashecho ' Date ' [email protected]:~/test# cat test.sh#!/bin/bashskip=44tab= ' ' nl= ' ifs= ' $tab $nl ' umask= ' umask ' umask 77gztmpdir=trap ' res=$? test -n ' $ Gztmpdir " && rm -fr " $gztmpdir " (exit $res); exit $res ' 0 1 2 3 5 10 13 15if type mktemp >/dev/null 2>&1; then gztmpdir= ' Mktemp -dt ' else gztmpdir=/tmp/gztmp$$; mkdir $gztmpdirfi | | { (exit 127), exit 127; }gztmp= $gztmpdir/$0case $0 in-* | * /* ') mkdir -p "$gztmp" && rm -r "$gztmp";; */*) gztmp= $gztmpdir/' basename ' $ "';; esac | | { (exit 127); exit 127; }case ' echo x | tail -n + 1 2>/dev/null ' inx) tail_n=-n;; *) tail_n=;; esacif tail $tail _n + $skip < "$" | gzip -cd > "$gztmp"; then umask $umask chmod 700 $gztmp (sleep 5; rm -fr "$gztmpdir") 2>/dev/null & "$gztmp" ${1+ "[email Protected] "}; res=$?else echo >&2 "Cannot decompress $0" (exit 127); res=127fi; exit $res
At this point we can see that the test.sh file has been encrypted, but it does not affect the operation. At this point you delete the test.sh~ file, others will be completely invisible (you can not see, please delete it as appropriate).
[Email protected]:~/test# lstest.sh test.sh~[email protected]:~/test# rm test.sh~[email protected]:~/test# lstest.sh[ Email protected]:~/test# sh test.sh Mon Jul 15:10:36 HKT 2017
Recommended to use, on the one hand, the system comes with commands, to achieve the purpose, nobody idle crack your script, even if you want to crack, first enter your system again.
I am based on centos6.8 (ubuntu14.04 problem, no specific troubleshooting)
Method 2:SHC
SHC Common parameters
-E Date
Expiration date in dd/mm/yyyy format [None] (Specify expiration date)
-M message
Message to display upon expiration ["Please contact your provider"] (specify expiration prompt information)
-F Script_name
File name of the script to compile (specifies the path and file name of the shell to be compiled)
-R Relax Security.
Make a redistributable binary which executes on different systems running the same operat-ing system. (can be used in different systems of the same operating system Line
-V Verbose Compilation (details of compilation)
SHC is a professional tool for encrypting shell scripts. Its role is to transform the shell script into an executable binary file, this method is also a good solution to the script contains IP, password and so do not want to open the issue
Package DOWNLOAD Link:
http://www.datsi.fi.upm.es/~frosal/sources/
[[email protected] ~]# wget http://www.datsi.fi.upm.es/~frosal/sources/ shc-3.8.6.tgz--2017-07-17 15:23:39-- http://www.datsi.fi.upm.es/~frosal/sources/ shc-3.8.6.tgzresolving www.datsi.fi.upm.es... 138.100.9.22connecting to Www.datsi.fi.upm.es|138.100.9.22|:80... connected. http request sent, awaiting response... 200 oklength: 35071 (34K) [application/x-gzip]Saving to: "Shc-3.8.6.tgz" 100%[=========================================== ==================================================================================>] 35,071 21.9K/s in 1.6s 2017-07-17 15:23:46 (21.9 kb/s) - "Shc-3.8.6.tgz" saved [35071/35071][[email protected ] ~]# tar xf shc-3.8.6.tgz [[email protected] ~]# mkdir -p / Usr/local/man/man1
This step is necessary, otherwise the installation process will be error, SHC will install the command into the/usr/local/bin/directory;
The help document is stored in the/usr/local/man/man1/directory, if the system does not have this directory, the installation will be error, you can create this directory and then perform the installation.
[[Email protected] ~]# CD Shc-3.8.6[[email protected] shc-3.8.6]# make install***installing SHC and Shc.1 on/usr/local*** Want to continue? Y #此时等待输入yinstall-C-S shc/usr/local/bin/install-c-M 644 shc.1/usr/local/man/man1/How to use:-f [email protected] test]# Cat Test.sh#!/bin/bashecho ' Date ' [[email protected] test]# shc-r-f test.shtest.sh.x.c:in function ' chkenv ': test.sh.x.c : 211:warning:cast from pointer to integer of different sizeyou has new mail in/var/spool/mail/root[[email protected] t est]# lstest.sh test.sh.x test.sh.x.c will generate two files, xx.x and xx.x.c after running.
Where xx.x is an executable binary that is encrypted and can be run with./xx.x, XX.X.C is the original file (c) that generated the xx.x.
Not recommended, need to be installed separately management, more trouble. If the security requirements are very high, it is possible to parameter.
This article is from the "Promise (Promise)" blog, please make sure to keep this source http://caimengzhi.blog.51cto.com/9787265/1948227
Shell Scripting Encryption