# Encrypt keycloak startup scripts to hide DB connection information

# Summary

Encrypt the keycloak startup script using shc.

# Background of the problem

When I'm making systemd unit file for the keycloak server as follows:

ExecStart=/home/keycloak/keycloak-20.0.2/bin/kc.sh start --hostname keycloak.mydomanin.com --db mariadb --db-url-host localhost --db-username keycloak --db-password keycloakpassword --transaction-xa-enabled=false

Hmm, I'm worried it seems so open of the Database connection information. So, let's encrypt keycloak start script with shc

# shc

According to the Shell script compiler (shc) (opens new window), the shc is "A generic shell script compiler". It makes C source code from a script file. Created C source code consists of the original script which encrypted by RC4, decrypt it and run.

# steps of hide datab ase connection information from systemd unit file

# 1. Separate start script into another shell file

Create new script file as follow:

bin/kc.sh start --hostname keycloak.mydomanin.com --db mariadb --db-url-host localhost --db-username keycloak --db-password keycloakpassword --transaction-xa-enabled=false

Notice that the first line, so called "shebang", mast be necessary.

The file name can be anything, but let's say start.sh here.

# 2. install shc

sudo apt-get install shc

# 3. compile script

shc -v -r -f start.sh

The meaning of the options in the script above is as follows:

  • v: Verbose compilation. So no need if you don't care about it.

  • r: Relax security. Make a redistributable binary which executes on different systems running the same operating system. No need if you wouldn't redistribution to different system for example ARM arch server.

  • f: File path of the script to compile

Then following files are created:

  • start.sh.x.c: C source code translation of original start.sh
  • start.sh.x: Compiled binary file

Use start.sh.x for making systemd unit file

# 4. replace keycloak start script to compiled start.sh.x in systemd unit file.


That's it!

# References

Last Updated: 12/6/2023, 6:23:01 AM