The Filter-Crypto distribution provides the means to convert your Perl files
into an encrypted, yet still runnable, format to hide the source code from
casual prying eyes.
This is achieved using a Perl source code filter. The encrypted files, produced
using the Filter::Crypto::CryptFile module,
automatically have one (unencrypted) line added to the start of them that loads
the Filter::Crypto::Decrypt module. The latter is a
Perl source code filter that decrypts the remaining (encrypted) part of the Perl
file on the fly when it is run. See perlfilter if you want to know more
about how Perl source code filters work.
Encrypted files can also be produced more conveniently using the <B>crypt_fileB>
script, or (if you also have the PAR module available) using the
PAR::Filter::Crypto module. The latter can be utilized
by the standard PAR tools to produce PAR archives in which your Perl
files are encrypted.
The actual encryption and decryption is performed using one of the symmetric
cipher algorithms provided by the OpenSSL libcrypto library. The EVP library
high-level interface functions to the various cipher algorithms themselves are
used so that your choice of algorithm (and also what password or key to use) is
made simply by answering some questions when building this distribution. See
the INSTALL file for more details.
This module itself only contains this documentation and the version number of
the Filter-Crypto distribution as a whole.
Some people regard the whole area of Perl source code encryption as being
morally offensive, given that Perl itself is open source. However, Perls
Artistic License does specifically allow the distribution of Perl as part of a
larger (possibly commercial) software distribution, and many people producing
commercial Perl software are uneasy about distributing the source code in easily
accessible form for anyone to see, and want to take more practical action than
involving intellectual property rights lawyers.
That is where software like this comes in, but a word of warning is in order
regarding the security provided by this (and, indeed, any other) source code
Some of the points below come from a discussion on the perl5-porters mailing
list, in the thread starting here:
others are taken from the Filter::decrypt manpage.
In general, it is hopeless to try to prevent everyone from getting at the source
code, especially when it is being run in an environment that you have no control
over, and even more so when the software running it (Perl) is open source
This technique can never completely hide the original unencrypted source code
from people sufficiently determined to get it. The most it can hope for is to
hide it from casual prying eyes, and to outdo everyone who is using a
precompiled perl (at least from regular sources) and everyone who is not
knowledgeable enough to suitably modify the Perl source code before compiling
Perl source code decryption filters work by intercepting the source stream (read
from the encrypted file) and modifying it (in this case, decrypting it) before
it reaches the Perl parser. Clearly, by the time the source reaches the parser
it must be decrypted, otherwise the script cannot be run. This means that at
some stage every part of the script must be held in memory in an unencrypted
state, so anyone with the appropriate debugging skills will be able to get it.
If perl was built with DEBUGGING then running the script with the perls <B>-DpB>
command-line option makes this much easier. Even without a DEBUGGING perl, the
script can still be run under the Perl debugger (perls <B>-dB> command-line
option), whose l command will list the (decrypted) source code that was fed
to the parser.
In fact, with the introduction of the Perl compiler backend modules it is now
easy to get at the decrypted source code without any debugging skills at all.
To quote B::Deparse:
B::Deparse is a backend module for the Perl compiler that generates perl
source code, based on the internal compiled structure that perl itself
creates after parsing a program. The output of B::Deparse wont be exactly
the same as the original source, since perl doesnt keep track of comments
or whitespace, and there isnt a one-to-one correspondence between perls
syntactical constructions and their compiled form, but it will often be
To make debugging and deparsing more difficult, the source code decryption
filter implemented in this distribution contains checks to try to disallow the
You should also not use a perl that was built with C debugging support enabled
(e.g. <B>gccB>s <B>-gB> option, or <B>cl.exeB>s <B>/ZiB> option) and should strip the
perl executable to remove all symbols (e.g. <B>gccB>s <B>-sB> option).
Running under a perl that was built with DEBUGGING (-DDEBUGGING);
Running under a perl with DEBUGGING flags enabled (<B>-DB> or $^D);
Running under the Perl debugger (<B>-dB>);
Running under the Perl compiler backend (<B>-MO=DeparseB>).
None of the above checks are infallible, however, because unless the source code
decryption filter module is statically linked against the perl executable then
users can always replace the perl executable being used to run the script with
their own version, perhaps hacked in such a way as to work around the above
checks, and thus with debugging/deparsing capabilities enabled. Such a hacked
version of the perl executable can certainly be produced since Perl is open
In fact, it is not difficult for suitably experienced hackers to produce a
modified perl executable that makes it absolutely trivial for them to retrieve
the original unencrypted source code with comments, whitespace and all (i.e.
not just a deparsed reconstruction of it). One example that was mentioned in
the perl5-porters thread cited above is to modify the perl executable to simply
print each line of the decrypted source stream that is fed to the parser, rather
than parsing and running it!
A typical hackers opinion of all this is perhaps the following delightful
message that I received off-list during that perl5-porters thread from someone
who shall remain anonymous:
"If you dont want anybody to see your source code, why dont you
STICK IT UP YOUR ASS?!"