GRand Unified Bootloader (GRUB) is a default bootloader in all Unix-like operating systems. As promised in our earlier article “How to reset a forgotten root password“, here we are going to review how to protect GRUB with passwords.
As mentioned earlier post, anyone can log in into single-user mode and may change system settings as needed. This is the big security flow. So, to prevent such unauthorized person to access the system we may require to have grub with password protected.
Here, we’ll see how to prevent users from entering into single user mode and changing the settings of systems that may have direct or physical access to the system.
Generate GRUB Bootloader Password
Create a password for GRUB, be a root user, and open the command prompt, type the below command.
When prompted type grub password twice and press enter.
This will generate a hashed GRUB bootloader password in the file /boot/grub2/user.cfg file and can be viewed using the cat command as shown.
# cat /boot/grub2/user.cfg
Recreate the GRUB Configuration File
After creating the GRUB password, you need to re-create the new GRUB configuration file by running the following command.
# grub2-mkconfig -o /boot/grub2/grub.cfg
The above command will set the grub password in the configuration file. Now, reboot the system and check if the new GRUB password is set properly.
Testing GRUB Password Protection
After your system restart, you will get the following GRUB screen, where you will get 5 seconds to break the normal boot process. So quickly press
e key to breaking the boot process.
Once you press the
e key it will prompt you to enter the GRUB password as shown.
After entering the right username and password, you can edit GRUB parameters as shown.
Removing GRUB Password Protection
To remove GRUB password-protect from boot menu, simply delete the file /boot/grub2/user.cfg.
# rm /boot/grub2/user.cfg
This is how we can protect GRUB with passwords. Let us know how do you secure your system? via comments.