# Encrypt keycloak startup scripts to hide DB connection information

# Summary

Encrypt the keycloak startup script using shc.

# Background of the problem

When I'm making systemd unit file for the keycloak server as follows:

[Service]
WorkingDirectory=/home/ueda/keycloak-20.0.2
ExecStart=/home/keycloak/keycloak-20.0.2/bin/kc.sh start --hostname keycloak.mydomanin.com --db mariadb --db-url-host localhost --db-username keycloak --db-password keycloakpassword --transaction-xa-enabled=false

Hmm, I'm worried it seems so open of the Database connection information. So, let's encrypt keycloak start script with shc

# shc

According to the Shell script compiler (shc) (opens new window), the shc is "A generic shell script compiler". It makes C source code from a script file. Created C source code consists of the original script which encrypted by RC4, decrypt it and run.

# steps of hide datab ase connection information from systemd unit file

# 1. Separate start script into another shell file

Create new script file as follow:

#!/bin/bash
bin/kc.sh start --hostname keycloak.mydomanin.com --db mariadb --db-url-host localhost --db-username keycloak --db-password keycloakpassword --transaction-xa-enabled=false

Notice that the first line, so called "shebang", mast be necessary.

The file name can be anything, but let's say start.sh here.

# 2. install shc

sudo apt-get install shc

# 3. compile script

shc -v -r -f start.sh

The meaning of the options in the script above is as follows:

v: Verbose compilation. So no need if you don't care about it.
r: Relax security. Make a redistributable binary which executes on different systems running the same operating system. No need if you wouldn't redistribution to different system for example ARM arch server.
f: File path of the script to compile

Then following files are created:

start.sh.x.c: C source code translation of original start.sh
start.sh.x: Compiled binary file

Use start.sh.x for making systemd unit file

# 4. replace keycloak start script to compiled start.sh.x in systemd unit file.

[Service]
WorkingDirectory=/home/ueda/keycloak-20.0.2
ExecStart=/home/keycloak/keycloak-20.0.2/start.sh.x

That's it!

# References

Configuring the database (opens new window) keycloak official guide to store data in a relational database.
Shell script compiler (shc) (opens new window) official page of shc.

← Keycloak with MariaDB Galera Cluster crashes every time something DB write happens