How to Password Protect Grub Boot Loader in Linux

by Ramesh Natarajan on September 19, 2011

If you are a Linux sysadmin, you might not want others in your IT department, who has physical access to the server, change anything from the GRUB bootloader menu that is displayed during system startup.

GRUB is the 3rd stage in the Linux boot process that we discussed earlier.

GRUB security features allows you to set a password to the grub entries. Once you set a password, you cannot edit any grub entries, or pass arguments to the kernel from the grub command line without entering the password.

It is highly recommended to set GRUB password on any critical production systems as explained in this article.

1. Use grub password command in grub.conf

On a system where GRUB is not secured with the password, the following message will be displayed right under the GRUB menu during the system startup.

As you see from this message, anybody who is in front of the console rebooting the server, can edit the grub commands, or even modify the kernel arguments, which probably will cause problems, if someone who doesn’t know what they are doing, plays around with this on production systems.

Use the up-arrow and down-arrow keys to select which entry is highlighted. 
Press enter to boot the selected OS,
'e' to edit the commands before booting, 
'a' to modify the kernel arguments before booting, or
'c' for a command-line

/boot/grub/grub.conf contains information about the entries that are displayed in the GRUB menu during system startup. On some systems, /etc/grub.conf is a symbolic link to /boot/grub/grub.conf

Add the following “password” line to the grub.conf file.

$ cat /etc/grub.conf
default=0
timeout=15
password GrbPwd4SysAd$
..

Once the “password” command is added to the grub.conf, the following message will be displayed right under the GRUB menu during the system startup.

As you see from this message, without entering the GRUB password that you gave in the grub.conf, nobody can edit the grub commands, or modify the kernel arguments. All they can do is just select one of the displayed entries and boot from here.

Use the up-arrow and down-arrow keys to select which entry is highlighted. 
Press enter to boot the selected OS or
'p' to enter a password to unlock the next set of features.

2. Encrypt the grub password using grub-crypt

While reading the above entry, probably you thought to yourself: Yes, the grub is secured by a password. But, the password itself is in clear text in the grub.conf file, which kind of defeats the purpose.

You can use grub-crypt utility to create an encrypted password.

grub-crypt will get the clear text password from the user, and display the encrypted password as shown below.

# grub-crypt
Password: GrbPwd4SysAd$
Retype password: GrbPwd4SysAd$
^9^32kwzzX./3WISQ0C

Modify the grub.conf file, add the “password” entry with the –encrypted argument as shown below. Just copy the output of the grub-crypt command, and paste it after the “–encrypted” argument in the password entry.

$ cat /etc/grub.conf
default=0
timeout=15
password --encrypted ^9^32kwzzX./3WISQ0C
..

By default, the grub-crypt command encrypts the password using SHA-512 algorithm. You can also encrypt the password either using SHA-256 or MD5 alrogithms as shown below.

# grub-crypt --sha-256
# grub-crypt --md5

You can also use md5crypt to encrypt the password. In that case, you should use “password –md5 encrypted-password” in your grub.conf file.

Inside the script section of your grub.conf file, if you specify “lock”, grub will execute the rest of the commands in that section of the menu entry only if the user is authenticated.

3. Load a different file for the Grub Menu

By default, the entries in the GRUB menu during system startup are picked-up from the grub.conf file. i.e based on the line that starts with “title” entry from the grub.conf file.

If you are testing some variation of a new kernel, you might want to create a separate grub menu file that contains the custom menu entries. During the system startup, by default it will show only the entries from the grub.conf. However when you enter a password, you can instruct grub to load your custom menu entries.

This is achived by passing the custom menu file name to the password command as shown below in the grub.conf file.

In the following example, it will load and display the grub menu entries from the /etc/mymenu.lst when you provide the password during the system startup.

$ cat /etc/grub.conf
default=0
timeout=15
password --encrypted ^9^32kwzzX./3WISQ0C /etc/mymenu.lst
..

Linux Sysadmin Course Linux provides several powerful administrative tools and utilities which will help you to manage your systems effectively. If you don’t know what these tools are and how to use them, you could be spending lot of time trying to perform even the basic administrative tasks. The focus of this course is to help you understand system administration tools, which will help you to become an effective Linux system administrator.
Get the Linux Sysadmin Course Now!

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 11 comments… read them below or add one }

1 chris September 19, 2011 at 4:03 am

I’m learning Linux at home after doing an introductory course at the Open University.
These articles/tutorials are simple and invaluable and interesting great stuff
Regards Chris

2 Dennis September 19, 2011 at 7:30 am

Great tutorial as usual. am thankful.

3 jalal hajigholamali September 19, 2011 at 11:45 am

Hi,

Very useful article..

thanks a lot

4 ItsMe September 20, 2011 at 11:27 am

Mhhh,
this secures the system not that much as you think.
The purpose of the password is to restrict the access to the boot process. So the Attacker has physical access to the box.

Than it is easy to boot from any external bootmedia like CD/ DVD, USB Stick, Network or whatever so you get access to to all the filesystem just start vi, joe, $EDITOR_OF_YOUR_CHOYCE and delete the line where the pw is written.

Thats not much more effort than restart then restart the machine and boot from disk, Conclusion: the grub Password is a delusive Security.

But hey – its better than nothing ;)

5 jalal hajigholamali September 20, 2011 at 11:46 am

Hi,

physical security is very important(ISO27001)

if somebody can access to a computer, he/she can do any thing…

6 Leslie Satenstein September 24, 2011 at 8:29 pm

Perhaps I am wrong, but if someone has access to the server as root or with a wide open sudo alternative, then he can:

copy grub.conf to grub.other
edit grub.other to remove password line
copy grub.other to grub.conf

And the next boot will be without a password check.
Grub.conf is not locked up once use was made of it.

7 Chander October 2, 2011 at 1:07 am

Really sir these example are so much helpful for learning. i just become your fan.

8 Ganesh October 6, 2011 at 11:16 pm

Now der is no grub.conf in ubuntu…so what to do then

9 Vicky January 12, 2012 at 4:45 am

i use Xubuntu 11.10. i cannot find this grub.conf file, the closest i get is grub.cfg, which looks different from examples i have seen, and initially states the following:

#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

10 Sher January 30, 2013 at 6:13 am

Great tutorial, thanks.

I have a question, what if I forgotten both my grub and root password. In which case, is there a way to do a GRUB password reset?

11 Tricky April 4, 2014 at 4:43 am

To remove a forgotten boot password when you are locked out you can boot the machine from DVD/USB and edit the grub.conf from a rescue command prompt.

# Mount the boot partition so we can access it
mount /dev/sda1 /mnt

# Edit the grub.conf to remove the password
vi /mnt/boot/grub/grub.conf

Leave a Comment

Previous post:

Next post: