How to Protect GRUB with Password in RHEL / CentOS / Fedora Linux
GRand Unified Bootloader (GRUB) is a default bootloader in all Unix-like operating system. As promised in our earlier article “How to reset a forgotten root password“, here we are going to review how to protect GRUB with password. As mentioned earlier post, anyone can login into single user mode and may change system setting as needed. This is the big security flow. So, to prevent such unauthorized person to access system we may required to have grub with password protected.
Here, we’ll see how to prevent user from entering into single user mode and changing the settings of system who may have direct or physical access of system.
Cautious: We urge to take backup of your data and try it out at your own risk.
How to Password Protect GRUB
STEP 1: Create a password for GRUB, be a root user and open command prompt, type below command. When prompted type grub password twice and press enter. This will return MD5 hash password. Please copy or note it down.
[[email protected] ~]# grub-md5-crypt
Sample Output:
[[email protected] ~]# grub-md5-crypt Password: Retype password: $1$19oD/1$NklcucLPshZVoo5LvUYEp1
Step 2: Now you need to open the /boot/grub/menu.lst or /boot/grub/grub.conf file and add the MD5 password. Both files are same and symbolic link to each other.
[[email protected] ~]# vi /boot/grub/menu.lst OR [[email protected] ~]# vi /boot/grub/grub.conf
Note : I advise you to take backup of the files before making any changes to it, if in case something goes wrong you can revert it.
STEP 3: Add the newly created MD5 password in GRUB configuration file. Please paste copied password below timeout line and save it and exit. For example, Enter the line password –md5 <add the copied md5 string from step 1> above.
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/sda3
# initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=0
timeout=5
password --md5 $1$TNUb/1$TwroGJn4eCd4xsYeGiBYq.
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.32-279.5.2.el6.i686)
root (hd0,0)
kernel /vmlinuz-2.6.32-279.5.2.el6.i686 ro root=UUID=d06b9517-8bb3-44db-b8c5-7710e183edb7 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto rhgb quiet
initrd /initramfs-2.6.32-279.5.2.el6.i686.img
title centos (2.6.32-71.el6.i686)
root (hd0,0)
kernel /vmlinuz-2.6.32-71.el6.i686 ro root=UUID=d06b9517-8bb3-44db-b8c5-7710e183edb7 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto rhgb quiet
initrd /initramfs-2.6.32-71.el6.i686.img
STEP 4: Reboot system and try it pressing ‘p‘ to enter password to unlock and enable next features.
Password Protect Grub in Linux
This is how we can protect GRUB with password. Let us know how do you secure your system? via comments.
Please visit grub security online manual pages for more information at GRUB Security.
Hi,
I’m new in linux. We forgot both the root password and GRUB password.
How can I reset both? Also, how can i go to single user mode to remove the GRUB password?
Thank you
@Jun,
I hope these articles will help you out to recover your forgotten passwords..
i forgot the grub’s password, can you help me please. Thanks in advance.
@Omar,
Go to the single user mode and remove the Grub password…
FOR CENTOS…….LINUX
*HOW TO SET BOOT PASSWORD*
login root (#)
#vim /etc/grub.conf
:se nu
13 no line…… press enter key and go next line (14 no line)
password ******
:wq
hi
i followed the above steps in redhat linux . i did not get error . it didnt ask me the grub password …why ? can u tell me y its happened ………..
grub is not showing up all the installed operating systems.
I have rhel 6 64-bit os after that i installed centos 64-bit after installing centos rhel 6 is not showing up in grub..
whereas i am also having windows 7 which is active all the time
Thanks for your great info.
If e person boot via a Live CD or another OS, they can access to all HDD files & folders. How can we protect it?
How about Ubuntu? :/
Hai
how r u,
This is MOhan
I have one doubt How to change the grub password in Rhel 6
Regards
Mohan
mail:[email protected]
Please go through the article, we already explained very clearly how to protect grub with password. Follow same procedure for changing.
No there are different files in 18 because it uses grub 2 it does not work
What about Fedora 17/18? I think your solution won’t work with the latest versions.
I think it should work with latest Linux versions too,because the grub file is the same and procedure also. Why not you try and tell us.