Encrypt and password-protect execution of any bash script, Version 2

read -p 'Script: ' S && C=$S.crypt H='eval "$((dd if=$0 bs=1 skip=//|gpg -d)2>/dev/null)"; exit;' && gpg -c<$S|cat >$C <(echo $H|sed s://:$(echo "$H"|wc -c):) - <(chmod +x $C)

(Please see sample output for usage) Use any script name (the read command gets it) and it will be encrypted with the extension .crypt, i.e.: myscript --> myscript.crypt You can execute myscript.crypt only if you know the password. If you die, your script dies with you. If you modify the startup line, be careful with the offset calculation of the crypted block (the XX string). Not difficult to make script editable (an offset-dd piped to a gpg -d piped to a vim - piped to a gpg -c directed to script.new ), but not enough space to do it on a one liner. Sorry for the chmod on parentheses, I dont like "-" at the end. Thanks flatcap for the subshell abbreviation to /dev/null

Sample Output

$ cat script.bash

#!/bin/bash
echo "hello, world"

$ read -p 'Script: ' S && C=$S.crypt H='eval "$(dd if=$0 bs=1 skip=// 2>/dev/null|gpg -d 2>/dev/null)"; exit;' && gpg -c<$S|cat >$C <(echo $H|sed s://:$(echo "$H"|wc -c):) - <(chmod +x $C)

Script: script.bash
Enter passphrase:
Repeat passphrase:

$ cat script.bash.crypt 

eval "$(dd if=$0 bs=1 skip=70 2>/dev/null|gpg -d 2>/dev/null)"; exit;
%3@5%7%f$2&s*ty7%8@j$j!8)(&@@@

$ ./script.bash.crypt 
Enter passphrase:

hello, world

By: rodolfoap

2013-03-10 08:59:45

cat chmod echo gpg read sed wc Security GPG Encryption secure crypt

1 Alternatives + Submit Alt

Encrypt and password-protect execution of any bash script

(Please see sample output for usage) script.bash is your script, which will be crypted to script.secure script.bash --> script.secure You can execute script.secure only if you know the password. If you die, your script dies with you. If you modify the startup line, be careful with the offset calculation of the crypted block (the XX string). Not difficult to make script editable (an offset-dd piped to a gpg -d piped to a vim - piped to a gpg -c directed to script.new ), but not enough space to do it on a one liner. Show Sample Output
This is sample output - yours may be different.
```
$ cat script.bash 

#!/bin/bash
echo "Hello, world"

$ echo "eval \"\$(dd if=\$0 bs=1 skip=XX 2>/dev/null|gpg -d 2>/dev/null)\"; exit" > script.secure; sed -i s:XX:$(stat -c%s script.secure): script.secure; gpg -c < script.bash >> script.secure; chmod +x script.secure
Enter passphrase:
Repeat passphrase:

$ ./script.secure 
Enter passphrase:

Hello, world

$ cat script.secure 
eval "$(dd if=$0 bs=1 skip=69 2>/dev/null|gpg -d 2>/dev/null)"; exit
%6&A2%&F%&B%&%4&%
```
5

echo "eval \"\$(dd if=\$0 bs=1 skip=XX 2>/dev/null|gpg -d 2>/dev/null)\"; exit" > script.secure; sed -i s:XX:$(stat -c%s script.secure): script.secure; gpg -c < script.bash >> script.secure; chmod +x script.secure

rodolfoap · 2013-03-09 11:16:48 21

What Others Think

How fun! But you can make it shorter by using a subshell. Change: X 2>/dev/null; Y 2>/dev/null into (X;Y)2>/dev/null This saves 12 bytes!

read -p 'Script: ' S && C=$S.crypt H='eval "$((dd if=$0 bs=1 skip=//|gpg -d)2>/dev/null)";exit;' && gpg -c<$S|cat >$C <(echo $H|sed s://:$(echo "$H"|wc -c):) - <(chmod +x $C)

flatcap · 636 weeks and 1 day ago

Hey that abbreviation is nice! Thanks flatcap!

rodolfoap · 636 weeks ago

When you run [code] bash -x test.crypt [/code] you still able to see lot stuff...

dynaguy · 636 weeks ago

Welcome to my Taobao shop ! Daily update: Discover amazing stuff, collect the things you love, buy it all in one place. novel style, varieties, low price and good quality, and the low sale price ==== ( http://www.fullmalls.com ) ===== ==== ( http://www.fullmalls.com ) ===== New to Hong Kong : Winter Dress Best quality, Best reputation , Best services ---**** NHL Jersey Woman $ 40 ---**** NFL Jersey $ 35 ---**** NBA Jersey $ 34 ---**** MLB Jersey $ 35 ---**** Jordan Six Ring_m $ 36 ---**** Air Yeezy_m $ 45 ---**** T-Shirt_m $ 25 ---**** Jacket_m $ 36 ---**** Hoody_m $ 50 ---**** Manicure Set $ 20 ---**** handbag $ 37 ---**** ugg boot $ 43 ---**** give you the unexpected harvest ==== ( http://www.fullmalls.com ) ===== ==== ( http://www.fullmalls.com ) ===== ==== ( http://www.fullmalls.com ) ===== ==== ( http://www.fullmalls.com ) =====

yewriusdf · 635 weeks and 6 days ago

Dynaguy: of course, if you have the password, you see everything. It's the idea. Without password, you can't see nothing. It's the idea.

rodolfoap · 635 weeks and 6 days ago

how can we protect the script from debug? If the set + x is included, it has no effect after the decoding. Good to have a script to give to a customer that the customer can run but never be able to read

frad · 597 weeks and 1 day ago

Should be "set +x", not "set + x". Tested it, works, I can't find no reason to continue showing the code. But if your client has the password, he has access to the code, this is not your solution (I used it to run code in a shared environment, where everybody has access to all files). You should try another approach.

rodolfoap · 597 weeks ago

Did you run bash -x secure.script? I put set +x in the first line of an unlocked script (script.bash) and it works correctly, when I use bash -x. When I put the password and I run bash -x the "set +x" is ignored and all commands are printed. We can not cut or vim the "script.secure" which is nice. If we could stop the "bash -x" command it will be a perfect solution. I wish to safely distribute long scripts to customers. The other solution I know about is shc

frad · 597 weeks ago

rahimhh21 · 142 weeks and 4 days ago

Perfecthomepugs · 133 weeks and 3 days ago

pugpuppies95 · 95 weeks and 2 days ago

donperi1 · 87 weeks and 4 days ago

yeneba6574 · 47 weeks and 1 day ago

What do you think?

Any thoughts on this command? Does it work on your machine? Can you do the same thing with only 14 characters?

You must be signed in to comment.

What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands

Similar Commands

How to execute and encrypted and password-protected bash script?

Make sure your script runs with a minimum Bash version

Creating new user with encrypted password

Create executable, automountable filesystem in a file, with password!

Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for:

» all commands
» commands with 3 up-votes (commandlinefu3)
» commands with 10 up-votes (commandlinefu10)