How to Set Linux Grub Password with Examples

grubBoot loader is an integral part of the computer. In computing, booting is a set of operations that computer systems perform when power is on. Today, modern computers take one- tenth of a second and typically perform power on self test (POST). A Boot Loader is a computer program that loads the main operating system of the computer after the completion of self-tests.

Today, most of the Linux distribution uses GRUB 2 as a boot loader. GRUB 2 (GNU Grand Unified Boot loader) is a boot loader package from the GNU Project.

Configuration of the GRUB2 based on below files

GRUB 2 scripts search the user's computer and build a boot menu based on what operating systems the scripts find. To reflect the latest system boot options, the boot menu is rebuilt automatically when the kernel is updated or a new kernel is added. However, users may want to build a menu containing specific entries or to have the entries in a specific order. GRUB 2 allows basic customization of the boot menu to give users control of what actually appears on the screen.

GRUB 2 uses a series of scripts to build the menu. These are located in the /etc/grub.d/ directory:

  • 00_header, which loads GRUB 2 settings from the /etc/default/grub file.
  • 10_linux, which locates kernels in the default partition of Hat Enterprise Linux.
  • 30_os-prober, which builds entries for operating systems found on other partitions.
  • 40_custom, a template used to create additional menu entries.

Scripts from the /etc/grub.d/ directory are read in alphabetical order and can be therefore renamed to change the boot order of specific menu entries.

1. Set Grub boot password on Debian based system

With Grub 2, there is no /boot/grub/menu.lst. It has been replaced by /boot/grub/grub.cfg. grub.cfg is overwritten by certain Grub 2 package updates, whenever a kernel is added or removed, or when the user runs update-grub.

Enabling Grub 2 password protection must respect the conditions below:

  • the authorized users must be identified,
  • their passwords must be designated,
  • menu items to be protected must be identified.

Users and passwords are manually added to the /etc/grub.d/00_header file *. The file must be edited by an Ubuntu user with administrative authority (root) since it is a system file. The user/password information is automatically added to the GRUB 2 menu configuration file (grub.cfg) when update-grub is run.

a. Generate Encrypted Password

To make GRUB requires a password to start the system, we have to generate encrypted password using command grub-mkpasswd-pbkdf2. This Encrypted password protection has been available in all versions of Grub 2

# grub-mkpasswd-pbkdf2
Enter password: 
Reenter password: 
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.380AD91E6C36BB4018B5CABDAFF5CABC52A16B6EFF503B6BB2E21199C006C526AEE3A2FF8CF41F9A07AEFB1E8E2275ABB44C41B1429B9C5D509786E2B57A51DA.989F1E9FAC061899E1BB8CB38D2119B26E6CE79A5CBB637E5A611AE099EBBF7CD9BCF1A3EC516CE0E4AD007B7DF8E679220BC845E07E440F134DED2537081F54

This command converts your desired password into a very long alphanumeric code which is placed in the GRUB 2 files. Your actual password is no longer visible in the Grub 2 scripts. While physical access to a computer can bypass the GRUB 2 menu, encryption makes it much more difficult for the casual hacker to determine your menu passwords.

b. Set the Password on GRUB2 main Configuration File

The superuser/user information and password do not have to be contained in the /etc/grub.d/00_header file. The information can be placed in any /etc/grub.d file as long as that file is incorporated into grub.cfg. The user may prefer to enter this data into a custom file, such as /etc/grub.d/40_custom so it is not overwritten even when the Grub package should be updated.

# cp /etc/grub.d/40_custom /etc/grub.d/40_custom.old

Open the GRUB configuration file with a text editor and add the content below at the end of it. Then replace grub.pbkdf2.sha512.xxxxx with the value of the encrypted password displayed above

# vim /etc/grub.d/40_custom

set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.380AD91E6C36BB4018B5CABDAFF5CABC52A16B6EFF503B6BB2E21199C006C526AEE3A2FF8CF41F9A07AEFB1E8E2275ABB44C41B1429B9C5D509786E2B57A51DA.989F1E9FAC061899E1BB8CB38D2119B26E6CE79A5CBB637E5A611AE099EBBF7CD9BCF1A3EC516CE0E4AD007B7DF8E679220BC845E07E440F134DED2537081F54

c. Update the grub File

Execute the command configuration to generate the new grub.cfg file

# grub-mkconfig -o /boot/grub/grub.cfg
Generating grub configuration file ...

You can now restart the system, which will prompt you for the user (root) and the password.

For security, when you enter the password, nothing appears on the screen. When finished, just validate and the system will boot. Password protection for booting is enabled and only the designated superuser can edit a Grub 2 menu item by pressing "e" or access the GRUB 2 command line by pressing "c".

2. Set Grub password only for modifying menu entries on Centos and RHEL 7.1

In order to set a password for other distributions with GRUB2, you must use  grub2-mkpasswd-pbkdf2 command.

a. Generate Encrypted Password

Note the "grub2-x-x" instead of "grub-x-x" as for Debian system.

# grub2-mkpasswd-pbkdf2

On RHEL 7.1 or RHEL 7.0, you can also use the same command.

b. Set the Password on GRUB2 main Configuration File

The procedure is the same as the steps for Debian system.

# cp /etc/grub.d/40_custom /etc/grub.d/40_custom.old
# vim /etc/grub.d/40_custom

c. Update the grub File

Here we will use grub2-mkconfig command. Note also the "grub2-x" instead of "grub-x" as for Debian system

# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...

The grub password protection is enabled only for the designated superuser who can edit a Grub 2 menu item by pressing "e" or "c".

3. Set Grub password for modifying and booting entries menu on Centos 7 and RHEL 7.2

On RHEL 7.2 (and higher) and Centos 7, GRUB 2 also offers password protection with grub2-setpassword command.

a. Set password for modifying entries menu

Setting a password using the grub2-setpassword prevents menu entries from unauthorized modification but not from unauthorized booting.:

# grub2-setpassword
Enter password:
Confirm password:

At this step, the grub password protection is enabled only for the designated superuser who can edit a Grub 2 menu item by pressing "e" or "c". This procedure creates a /boot/grub2/user.cfg file that contains the hash of the password. The user for this password, root, is defined in the /boot/grub2/grub.cfg file. With this change, modifying a boot entry during booting requires you to specify the root user name and your password.

Do not manually add the superuser account and password to the grub.cfg file because the grub2-mkconfig command will overwrite this file when re-generating it.

b. Set password for booting entries menu

Now, to set grub password for modifying and booting entries menu too, you should continue with the following steps

  • open the /boot/grub2/grub.cfg file
  • find the boot entry that you want to protect with password by searching for lines beginning with menuentry
  • delete the --unrestricted parameter from the menu entry block
# vim  /boot/grub2/grub.cfg

for example, the line

should look like

Now restart and you will be asked for the password when you will choose the first default menu entry and when you will try to edit entries menu by pressing "e" or "c".

4. Set a password for old distributions using legacy GRUB

For old distribution using legacy grub, it is possible to set grub password with grub-md5-crypt command:

# grub-md5-crypt

Then you should modify /boot/grub/menu.lst file to insert the encrypt password

# vim /boot/grub/menu.lst

Conclusion

To set grub password, make the customizations you want to make to the GRUB config first before you do anything else. It is possible to secure boot process and the modification of entries menu with the grub password process. You just need to know exactly what you need. The grub2-setpassword tool was added in Red Hat Enterprise Linux 7.2 and is now its standard method of setting GRUB 2 passwords.

About Bobbin Zachariah

Founder of LinOxide, passionate lover of Linux and technology writer. Started his career in Linux / Opensource from 2000. Love traveling, blogging and listening music. Reach Bobbin Zachariah about me page and google plus page.

Author Archive Page

Have anything to say?

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.