Automatically decrypt and run an encrypted bash script without saving decrypted file to file system

Question

I have a shell script that produces sensitive content when run. It sits on a box that only a few users have permissions to access. However, I have also added layered obfuscation to prevent unauthorized usage, via the following:

1. script must be run as root
2. script must be passed specific command line arguments to produce any output
3. script has been encoded by the shell compiler "shc" to mask facts #1 and #2 from normal users (those who would not know to use TRACE or STRINGS to still view the actual code).

To then add a layer of actual security to protect again more advanced users and system admins, I have also encrypted the script with gpg.

My question is -- Is there a gpg command (or other encryption method) that I could run which prompts for the decryption passphrase, and decrypts the script and runs it in memory only (without saving the decrypted version of the file to the file system)?

I realize that sensitive information may still exist in unprotected memory while being executed, I'll address that separately.

Answer 1

You can capture the output of decrypting by

decrypted=$(gpg -d ...)

You can then eval the result

eval "$decrypted"