How to Protect GRUB with Password in RHEL / CentOS / Fedora Linux
GRand Unified Bootloader (GRUB) is a default bootloader in all Unix-like operating system. As promised in our earlier article “How to reset a forgotten root password“, here we are going to review how to protect GRUB with password. As mentioned earlier post, anyone can login into single user mode and may change system setting as needed. This is the big security flow. So, to prevent such unauthorized person to access system we may required to have grub with password protected.
Here, we’ll see how to prevent user from entering into single user mode and changing the settings of system who may have direct or physical access of system.
Cautious: We urge to take backup of your data and try it out at your own risk.
How to Password Protect GRUB
STEP 1: Create a password for GRUB, be a root user and open command prompt, type below command. When prompted type grub password twice and press enter. This will return MD5 hash password. Please copy or note it down.
[[email protected] ~]# grub-md5-crypt
Sample Output:
[[email protected] ~]# grub-md5-crypt Password: Retype password: $1$19oD/1$NklcucLPshZVoo5LvUYEp1
Step 2: Now you need to open the /boot/grub/menu.lst or /boot/grub/grub.conf file and add the MD5 password. Both files are same and symbolic link to each other.
[[email protected] ~]# vi /boot/grub/menu.lst OR [[email protected] ~]# vi /boot/grub/grub.conf
Note : I advise you to take backup of the files before making any changes to it, if in case something goes wrong you can revert it.
STEP 3: Add the newly created MD5 password in GRUB configuration file. Please paste copied password below timeout line and save it and exit. For example, Enter the line password –md5 <add the copied md5 string from step 1> above.
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/sda3
# initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=0
timeout=5
password --md5 $1$TNUb/1$TwroGJn4eCd4xsYeGiBYq.
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.32-279.5.2.el6.i686)
root (hd0,0)
kernel /vmlinuz-2.6.32-279.5.2.el6.i686 ro root=UUID=d06b9517-8bb3-44db-b8c5-7710e183edb7 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto rhgb quiet
initrd /initramfs-2.6.32-279.5.2.el6.i686.img
title centos (2.6.32-71.el6.i686)
root (hd0,0)
kernel /vmlinuz-2.6.32-71.el6.i686 ro root=UUID=d06b9517-8bb3-44db-b8c5-7710e183edb7 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto rhgb quiet
initrd /initramfs-2.6.32-71.el6.i686.img
STEP 4: Reboot system and try it pressing ‘p‘ to enter password to unlock and enable next features.
Password Protect Grub in Linux
This is how we can protect GRUB with password. Let us know how do you secure your system? via comments.
Please visit grub security online manual pages for more information at GRUB Security.
Excellent article
This will only protect the installed group, it’s still possible to boot up grub from a usb drive and then boot the Linux kernel in single-user mode from there.
But what about if you forbidden boot from USB?
Hi sir, this article was helpful, but terminal says grub command not found. What can be the issue?
What this equates to user commands ubuntu?
Thanks Alot
Hello , this was very help full for me
i have tried this it worked well and also i have tried removing the password in /etc/grub.conf file . i have doubt here if i forget the root password i will reset through single user mode . for suppose if i forget the password for both root and grub password . then hw can i recover it . please help me out in this
@Samanth,
Same way, go the the single user mode and remove the grub password from the grub menu configuration file and for resetting root password follow these guides.
https://www.tecmint.com/reset-forgotten-root-password-in-centos-7-rhel-7/
https://www.tecmint.com/reset-forgotten-root-password-in-rhel-centos-and-fedora/
@ravi Saive , thanks for the reply , actually my doubt is how can we enter into single user mode without providing the grub password . the e ( for edit ) it self is not shown there and only the ” p ” option is displaying. please let me know this . sorry for asking you the silly doubts i just want to clear my doubt . thanks in Advance .
@Samanth,
Sorry for my last comment, actually you can’t switch to single user mode when grub is password protected, the only way is to recover is using Linux Live CD. Boot into Linux using Linux Live CD, mount the root partition in rw mode and remove the password in the grub configuration file…
thank a lot, thank for the support @ravi Saive.