≡ Menu

How to Password Protect Grub Boot Loader in Linux

If you are a Linux sysadmin, you might not want others in your IT department, who has physical access to the server, change anything from the GRUB bootloader menu that is displayed during system startup.

GRUB is the 3rd stage in the Linux boot process that we discussed earlier.

GRUB security features allows you to set a password to the grub entries. Once you set a password, you cannot edit any grub entries, or pass arguments to the kernel from the grub command line without entering the password.

It is highly recommended to set GRUB password on any critical production systems as explained in this article.

1. Use grub password command in grub.conf

On a system where GRUB is not secured with the password, the following message will be displayed right under the GRUB menu during the system startup.

As you see from this message, anybody who is in front of the console rebooting the server, can edit the grub commands, or even modify the kernel arguments, which probably will cause problems, if someone who doesn’t know what they are doing, plays around with this on production systems.

Use the up-arrow and down-arrow keys to select which entry is highlighted. 
Press enter to boot the selected OS,
'e' to edit the commands before booting, 
'a' to modify the kernel arguments before booting, or
'c' for a command-line

/boot/grub/grub.conf contains information about the entries that are displayed in the GRUB menu during system startup. On some systems, /etc/grub.conf is a symbolic link to /boot/grub/grub.conf

Add the following “password” line to the grub.conf file.

$ cat /etc/grub.conf
default=0
timeout=15
password GrbPwd4SysAd$
..

Once the “password” command is added to the grub.conf, the following message will be displayed right under the GRUB menu during the system startup.

As you see from this message, without entering the GRUB password that you gave in the grub.conf, nobody can edit the grub commands, or modify the kernel arguments. All they can do is just select one of the displayed entries and boot from here.

Use the up-arrow and down-arrow keys to select which entry is highlighted. 
Press enter to boot the selected OS or
'p' to enter a password to unlock the next set of features.

2. Encrypt the grub password using grub-crypt

While reading the above entry, probably you thought to yourself: Yes, the grub is secured by a password. But, the password itself is in clear text in the grub.conf file, which kind of defeats the purpose.

You can use grub-crypt utility to create an encrypted password.

grub-crypt will get the clear text password from the user, and display the encrypted password as shown below.

# grub-crypt
Password: GrbPwd4SysAd$
Retype password: GrbPwd4SysAd$
^9^32kwzzX./3WISQ0C

Modify the grub.conf file, add the “password” entry with the –encrypted argument as shown below. Just copy the output of the grub-crypt command, and paste it after the “–encrypted” argument in the password entry.

$ cat /etc/grub.conf
default=0
timeout=15
password --encrypted ^9^32kwzzX./3WISQ0C
..

By default, the grub-crypt command encrypts the password using SHA-512 algorithm. You can also encrypt the password either using SHA-256 or MD5 alrogithms as shown below.

# grub-crypt --sha-256
# grub-crypt --md5

You can also use md5crypt to encrypt the password. In that case, you should use “password –md5 encrypted-password” in your grub.conf file.

Inside the script section of your grub.conf file, if you specify “lock”, grub will execute the rest of the commands in that section of the menu entry only if the user is authenticated.

3. Load a different file for the Grub Menu

By default, the entries in the GRUB menu during system startup are picked-up from the grub.conf file. i.e based on the line that starts with “title” entry from the grub.conf file.

If you are testing some variation of a new kernel, you might want to create a separate grub menu file that contains the custom menu entries. During the system startup, by default it will show only the entries from the grub.conf. However when you enter a password, you can instruct grub to load your custom menu entries.

This is achived by passing the custom menu file name to the password command as shown below in the grub.conf file.

In the following example, it will load and display the grub menu entries from the /etc/mymenu.lst when you provide the password during the system startup.

$ cat /etc/grub.conf
default=0
timeout=15
password --encrypted ^9^32kwzzX./3WISQ0C /etc/mymenu.lst
..
Add your comment

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

Comments on this entry are closed.

  • chris September 19, 2011, 4:03 am

    I’m learning Linux at home after doing an introductory course at the Open University.
    These articles/tutorials are simple and invaluable and interesting great stuff
    Regards Chris

  • Dennis September 19, 2011, 7:30 am

    Great tutorial as usual. am thankful.

  • jalal hajigholamali September 19, 2011, 11:45 am

    Hi,

    Very useful article..

    thanks a lot

  • ItsMe September 20, 2011, 11:27 am

    Mhhh,
    this secures the system not that much as you think.
    The purpose of the password is to restrict the access to the boot process. So the Attacker has physical access to the box.

    Than it is easy to boot from any external bootmedia like CD/ DVD, USB Stick, Network or whatever so you get access to to all the filesystem just start vi, joe, $EDITOR_OF_YOUR_CHOYCE and delete the line where the pw is written.

    Thats not much more effort than restart then restart the machine and boot from disk, Conclusion: the grub Password is a delusive Security.

    But hey – its better than nothing 😉

  • jalal hajigholamali September 20, 2011, 11:46 am

    Hi,

    physical security is very important(ISO27001)

    if somebody can access to a computer, he/she can do any thing…

  • Leslie Satenstein September 24, 2011, 8:29 pm

    Perhaps I am wrong, but if someone has access to the server as root or with a wide open sudo alternative, then he can:

    copy grub.conf to grub.other
    edit grub.other to remove password line
    copy grub.other to grub.conf

    And the next boot will be without a password check.
    Grub.conf is not locked up once use was made of it.

  • Chander October 2, 2011, 1:07 am

    Really sir these example are so much helpful for learning. i just become your fan.

  • Ganesh October 6, 2011, 11:16 pm

    Now der is no grub.conf in ubuntu…so what to do then

  • Vicky January 12, 2012, 4:45 am

    i use Xubuntu 11.10. i cannot find this grub.conf file, the closest i get is grub.cfg, which looks different from examples i have seen, and initially states the following:

    #
    # DO NOT EDIT THIS FILE
    #
    # It is automatically generated by grub-mkconfig using templates
    # from /etc/grub.d and settings from /etc/default/grub
    #

  • Sher January 30, 2013, 6:13 am

    Great tutorial, thanks.

    I have a question, what if I forgotten both my grub and root password. In which case, is there a way to do a GRUB password reset?

  • Tricky April 4, 2014, 4:43 am

    To remove a forgotten boot password when you are locked out you can boot the machine from DVD/USB and edit the grub.conf from a rescue command prompt.

    # Mount the boot partition so we can access it
    mount /dev/sda1 /mnt

    # Edit the grub.conf to remove the password
    vi /mnt/boot/grub/grub.conf

  • Joshua Cagle April 29, 2014, 8:50 pm

    The password is not encrypted, it is hashed. Encryption implies decryption is possible . Hashes cannot be decrypted they can only be matched. I wish programs would not use the term encryption and hashing interchangeably.

    Love the tutorial by the way. Awesome.

  • Anonymous August 5, 2015, 6:15 pm

    If your GRUB2 boot loader program is installed on a Linux system with a ‘dm-crypt’ encrypted root partition, you can add the line ‘GRUB_ENABLE_CRYPTODISK=y’ to your ‘/etc/default/grub’ or ‘/etc/sysconfig/grub’ to cause it to prompt you for the passphrase of the encrypted volume (assuming it has one set) in order to unlock the boot loader menu at system startup.

  • Gabriel Serlenga August 5, 2015, 6:16 pm

    If your GRUB2 boot loader program is installed on a Linux system with a ‘dm-crypt’ encrypted root partition, you can add the line ‘GRUB_ENABLE_CRYPTODISK=y’ to your ‘/etc/default/grub’ or ‘/etc/sysconfig/grub’ to cause it to prompt you for the passphrase of the encrypted volume (assuming it has one set) in order to unlock the boot loader menu at system startup.

  • Ismail August 24, 2015, 6:16 am

    Ramesh, your grub.conf excerpt from section 3 is a repeat of the middle excerpt from section 2 (in other words, is the scripted menu options syntax missing?)

  • Naseeb April 12, 2016, 11:44 pm

    Dear Sher

    I have the same question, how to reset root password in ubuntu system which is also protected by grub password. Because in this case iam not getting the root prompt even after live boot.