# Encrypt keycloak startup scripts to hide DB connection information
Encrypt the keycloak startup script using shc.
# Background of the problem
When I'm making systemd unit file for the keycloak server as follows:
[Service] WorkingDirectory=/home/ueda/keycloak-20.0.2 ExecStart=/home/keycloak/keycloak-20.0.2/bin/kc.sh start --hostname keycloak.mydomanin.com --db mariadb --db-url-host localhost --db-username keycloak --db-password keycloakpassword --transaction-xa-enabled=false
Hmm, I'm worried it seems so open of the Database connection information. So, let's encrypt keycloak start script with shc
According to the Shell script compiler (shc) (opens new window), the shc is "A generic shell script compiler". It makes C source code from a script file. Created C source code consists of the original script which encrypted by RC4, decrypt it and run.
# steps of hide datab ase connection information from systemd unit file
# 1. Separate start script into another shell file
Create new script file as follow:
#!/bin/bash bin/kc.sh start --hostname keycloak.mydomanin.com --db mariadb --db-url-host localhost --db-username keycloak --db-password keycloakpassword --transaction-xa-enabled=false
Notice that the first line, so called "shebang", mast be necessary.
The file name can be anything, but let's say start.sh here.
# 2. install shc
sudo apt-get install shc
# 3. compile script
shc -v -r -f start.sh
The meaning of the options in the script above is as follows:
v: Verbose compilation. So no need if you don't care about it.
r: Relax security. Make a redistributable binary which executes on different systems running the same operating system. No need if you wouldn't redistribution to different system for example ARM arch server.
f: File path of the script to compile
Then following files are created:
- start.sh.x.c: C source code translation of original start.sh
- start.sh.x: Compiled binary file
Use start.sh.x for making systemd unit file
# 4. replace keycloak start script to compiled start.sh.x in systemd unit file.
[Service] WorkingDirectory=/home/ueda/keycloak-20.0.2 ExecStart=/home/keycloak/keycloak-20.0.2/start.sh.x
- Configuring the database (opens new window) keycloak official guide to store data in a relational database.
- Shell script compiler (shc) (opens new window) official page of shc.