Linux Administrator

Password protected GRUB in Linux/UNIX

password-protected-grub
mm
Written by Santosh Prasad

As a System Administrator, you should protect GRUB bootloader menu so that nobody can change anything in this file. GRUB (Grand Unified Bootloader) is a default bootloader in in all Linux/UNIX system. It is the third stage in Linux boot process. By default it is unprotected and anyone can login into single mode and may change your system setting. GRUB security features allows us to set a password on grub entries. After setting password, nobody can edit grub entries. I suggest you to protect your GRUB with password on any critical production server.

In this article I will explain, how you can set password on GRUB in Linux/UNIX system.

How to Protect Grub with Password

Follow the below steps to protect GRUB entries.

Step #1: Login to the server as root user and open terminal, Now create a password for GRUB. Follow the below command. When prompted type your GRUB password twice and hit enter. This will provide you MD5 Hash password. Copy the password and note it down.

[[email protected] ~]#  grub-md5-crypt

You will get some output like below.

[[email protected] ~]# grub-md5-crypt
 Password:
Retype password:
$1$pgjiX1$PVxHe8rI0a1S.Cgh4AKzB

Step #2: Now open /boot/grub/grub.conf file and add the MD5 password or you can also edit /boot/grub/menu.lst because both file are same and symbolic link to each other.

[[email protected] ~]# vim /boot/grub/menu.lst
OR
[[email protected] ~]# vim /boot/grub/grub.conf

Note: Please keep backup of file before editing it, so that you can revert it if in case of wrong entries.

Step #3: Now add the MD5 password in GRUB configuration file like below.

# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/sda3
#          initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=0
timeout=5
password --md5 $1$pgjiX1$PVxHe8rI0a1S.Cgh4AKzB.
hiddenmenu
title CentOS (2.6.32-279.5.2.el6.i686)
lock
root (hd0,0)
kernel /vmlinuz-2.6.32-220.el6.x86_64 ro root=UUID=224b3aa3-6cd2-4634-a409-1a834c46fa9c rd_NO_LUKS rd_NO_LVM LANG=en_US.UTF-8 rd_NO_MD quiet SYSFONT=latarcyrheb-sun16 rhgb crashkernel=auto  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM
initrd /initramfs-2.6.32-220.el6.x86_64.img

Step #4: Now reboot system and press ‘p‘ to enter in GRUB file, you will prompt to type password.

grub-file

I hope this article will help you to protect GRUB entries with password. If having any issues or questions, please feel free to mention them in the comment box below.

Thanks:)

About the author

mm

Santosh Prasad

Hi! I'm Santosh and I'm here to post some cool article for you. If you have any query and suggestion please comment in comment section.

Leave a Comment