Protect with a root file password

Hello, I would like to password protect my .sh file. Thanks

Is possible ?

Out of the box, OpenWRT runs everything as root. If you have shell access you can access the filesystem. Best advice is to use openssh or dropbear from local network using a key file rather than password. I never looked into running non-root stuff, might be possible. What is your use case?

Not really.

Yes, it's technically possible to add a self-extracting decryptor to your program -including shell implementations- but that's usually more common in malware or proprietary circles (and easier to accomplish for binary executables than shell scripts) and severely raises the complexity of your shell script and its fragility (the loader mustn't clobber the environment of the actual payload) and would still be prone to being decoded on execution.
No, I don't have pointers to example implementations of this, but it's possible (with the caveats mentioned above - and probably a few more).

1 Like

Thanks for your response all

This idea interested me so I looked for a solution and found one that seems to fit my threat model and it might be of interest to you or others. I tried a simple shell script and being new to linux and OpenWrt, I don't know if the shell pipeline works with more complex shell syntax.
I found a similar solution at stackoverflow for how to execute gpg encrypted shell files using the command gpg -qd 2>/dev/null | bash - . I also found a small encryption program called ccrypt which is available for my OpenWrt arch with opkg list |grep crypt. It is 46k installed. I installed it with opkg install ccrypt.
I wrote a simple test script, made a backup, encrypted it with ccencrypt which created a file named, and I ran it successfully with ccat | ash -. Both encrypting and decrypting prompted me to enter the password. Keeping 2>/dev/null hides the password prompt. Details on ccrypt are at

Here is the output of ccrypt --help on my OpenWrt router:

ccrypt 1.11. Secure encryption and decryption of files and streams.

Usage: ccrypt [mode] [options] [file...]
       ccencrypt [options] [file...]
       ccdecrypt [options] [file...]
       ccat [options] file...

    -e, --encrypt         encrypt
    -d, --decrypt         decrypt
    -c, --cat             cat; decrypt files to stdout
    -x, --keychange       change key
    -u, --unixcrypt       decrypt old unix crypt files

    -h, --help            print this help message and exit
    -V, --version         print version info and exit
    -L, --license         print license info and exit
    -v, --verbose         print progress information to stderr
    -q, --quiet           run quietly; suppress warnings
    -f, --force           overwrite existing files without asking
    -m, --mismatch        allow decryption with non-matching key
    -E, --envvar var      read keyword from environment variable (unsafe)
    -K, --key key         give keyword on command line (unsafe)
    -k, --keyfile file    read keyword(s) as first line(s) from file
    -P, --prompt prompt   use this prompt instead of default
    -S, --suffix .suf     use suffix .suf instead of default .cpt
    -s, --strictsuffix    refuse to encrypt files which already have suffix
    -F, --envvar2 var     as -E for second keyword (for keychange mode)
    -H, --key2 key        as -K for second keyword (for keychange mode)
    -Q, --prompt2 prompt  as -P for second keyword (for keychange mode)
    -t, --timid           prompt twice for encryption keys (default)
    -b, --brave           prompt only once for encryption keys
    -y, --keyref file     encryption key must match this encrypted file
    -r, --recursive       recurse through directories
    -R, --rec-symlinks    follow symbolic links as subdirectories
    -l, --symlinks        dereference symbolic links
    -T, --tmpfiles        use temporary files instead of overwriting (unsafe)
    --                    end of options, filenames follow


1 Like

it's very interresting thanks

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.