How to Set GRUB Password on Linux

Redhat enterprise Linux 5 grub

GNU GRUB is the GRand Unified Bootloader from GNU. Bootloader is the first software program that runs during the system startup. GRUB can load different operating systems. If you have Linux installed on your system, then you must have seen the bootloader menu from which you can choose between different OS's. This tutorial shows how to install grub and set grub password on linux.

GRUB stages

GRUB is a multi-stage bootloader. The first stage of GRUB resides either in the MBR, the Master Boot Record or in the boot sector of some partition. This is a very small stage and resides in first 446 bytes of the MBR (or boot sector of the partition) only. The sole purpose of this stage is to locate the second stage.

Stage 2 performs all the tasks of the bootloader like loading the kernel and initrd etc. This stage reads the GRUB configuration file for its commands.

GRUB configuration file

The GRUB configuration file controls what you see at the boot time. The configuration file is located at /boot/grub/grub.conf in Red Hat Enterprise Linux. In Linux like UBUNTU, it is /boot/grub/grub.cfg or /boot/grub/menu.lst depending upon different versions. But whatever is the location of the configuration file, the basic commands used in this file remain the same. Let's have a look at a sample configuration file:

# grub.conf generated by anaconda
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00
# initrd /initrd-version.img
title Red Hat Enterprise Linux Server (2.6.18-238.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-238.el5 ro root=/dev/VolGroup00/LogVol00
initrd /initrd-2.6.18-238.el5.img
title Windows XP Pro
rootnoverify (hd0,1)
chainloader +1

In this configuration file, the lines starting with # are the commented lines. The other parameters are:

default: This specifies the default entry to select if no key is pressed until timeout. The numbering starts with 0. So, to boot first entry by default, the value must be 0 as in this configuration file.

timeout: This is the time in seconds for which GRUB will wait before it boots the default entry.

hiddenmenu: This specifies that the menu will not be displayed and default entry will be booted. But the menu can be displayed by pressing any key before timeout expires.

title: This specifies the name that will appear on the selection menu. The commands following the title are the GRUB commands that will execute when that menu entry is selected.

In a newer version of GRUB, i.e. GRUB2, "title" has been replaced by "menuentry".

GRUB commands

GRUB can be used via the menu driven interface and command line interface. For menu driven interface, the configuration file like above is used. The command line interface requires manually entering the commands. GRUB supports the following commands:

root: root command specifies the root device on which the compressed kernel image and initrd reside. hd0,0 means first hard disk and first partition. Similarly, if you want to specify the second partition, then hd0 and hd1 will be used. If you have more than one hard disks, then they will be specified as hd0, hd1, hd2, etc.

kernel: This specifies which kernel file to use. The boot time kernel parameters are passed to this line.

initrd: The initial ramdisk to be used.

GRUB supports chainloading the other bootloaders for booting some operating systems like windows. Chainloading is the mechanism in which GRUB passes the control to some other bootloader and then that bootloader is responsible for booting up the system.

rootnoverify is like root, but it does not attempt to mount the partition specified. This is used for specifying the partition on which the secondary bootloader resides.

chainloader command chainloades, i.e. passes the control to the bootloader. In the above file, +1 with chainloader specifies that the bootloader is present in the first sector of the partition.

Installing GRUB

If somehow your MBR gets overwritten by some other bootloader, then you can install GRUB using command grub-install. You need to provide your hard disk as the parameter to this command. So to install first stage of GRUB on the MBR of your first hard disk, run:

$ grub-install /dev/sda

Password protecting GRUB

While installing the OS, you are asked if you want to provide a password for GRUB. But how do you password protect your GRUB after OS installation? GRUB stores MD5 hashes of the password. So first, we need to generate the MD5 hash of the password. You can use grub-md5-crypt command to generate password hash as follows:

# grub-md5-crypt
Retype password:

The characters don't echo on the screen as you type the password. Now copy this MD5 hash and place the following line in the GRUB configuration file:

password --md5 $1$PHhFm0$yBhuvWGfhmG1IEPXfASeW.

That's it. Now when you boot your system next time and try to change any command in GRUB, you will need to unlock it using the password you just provided.


Leave a Comment