How to protect GRUB bootloader with password

The article “How to reset a forgotten login password in Linux” shows that a Linux login password can be reset very quickly and easily. And it can be the root or any user password.

The essence of the method described in that article is to edit the GRUB bootloader options for loading into single-user mode. Perhaps such a simple way to bypass the root password made someone wonders: is it possible to protect Linux from changing the password at boot time? More precisely, is it possible to prohibit changing boot options in GRUB?

On the one hand, yes, you can set a password for editing the GRUB bootloader options, this article will show how to configure it. But, on the other hand, you need to remember – the configuration is done in the GRUB text configuration files, and with physical access to the computer with the ability to boot from the LIVE distribution, you can bypass this protection by changing the password. With physical access, there is always the option to unplug a hard drive and view its contents on another system. That is, real data protection is provided only by file encryption or the entire disk encryption; boot password protection is not reliable!

Recommended: see also “How to install VeraCrypt on Linux”.

Nevertheless, the described method, at least, can delay or even confuse a person who is unauthorized to change Linux password. And when additional measures are taken – external devices are prohibited or physical access control to the system, the described method can protect against booting into single-user mode.

GRUB password protection can be organized in two ways:

  1. One must enter a password for both booting the system and editing boot options
  2. Any user without a password can boot, but to edit the boot options one must enter the password.

Let’s consider both of these options.

Note: if you use the boot password for GRUB2, then the splash screen will not be displayed during boot.

Setting a password to boot the system and edit boot options

As root, run the following commands to set the boot password:

Using the grub-mkpasswd-pbkdf2 utility, generate a password hash:

sudo grub-mkpasswd-pbkdf2

Enter and confirm the password:

Enter password:
Reenter password:

A line like this will be shown:

PBKDF2 hash of your password: grub.pbkdf2.sha512.10000.479775BC85F7B0D174D53F85338955DA8B79E35A641C7B814387D2E8CB3353DBB0925E9E2AB7D5986C2B995AD6E96A793D92F17CC1438AB226249AEDC629FDD0.867369FB465ED73F5CB495A375FCF294C1F39B8E0D481B33F4F5C4D245E140CD11D9135CBAE646DD5CC168C037EF4D5F6B935A2A32D1103F9A7ADB81AA9101D4

From the output you need to take the entire line “grub.pbkdf2.sha512.10000…………..”.

Now open the file /etc/grub.d/40_custom

sudo gedit /etc/grub.d/40_custom

and add to it:

set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.479775BC85F7B0D174D5...

Since the /etc/grub.d/40_custom file contains a password hash, it is recommended that you prohibit reading and changing it by everyone except the root user:

sudo chmod 711 /etc/grub.d/40_custom

Now create a new bootloader configuration file:

sudo grub-mkconfig -o /boot/grub/grub.cfg

After rebooting, when you try to select any menu item, you will be prompted to enter a username and password. Enter the root and password that you entered in the grub-mkpasswd-pbkdf2 command. If the credentials are correct, the system will continue to boot.

In fact, the username at this stage does not matter – it is used only as credentials to enter the bootloader. For example, the username on my computer is mial, even when I enter the root name and password, I will still log in as the mial user. For this reason, you can specify any username in the /etc/grub.d/40_custom file, most importantly, do not forget it.

How to configure: any user can boot, but GRUB options are password protected

Using the grub-mkpasswd-pbkdf2 utility, generate a password hash:

sudo grub-mkpasswd-pbkdf2

Enter and confirm the password:

Enter password:
Reenter password:

A line like this will be shown:

PBKDF2 hash of your password: grub.pbkdf2.sha512.10000.479775BC85F7B0D174D53F85338955DA8B79E35A641C7B814387D2E8CB3353DBB0925E9E2AB7D5986C2B995AD6E96A793D92F17CC1438AB226249AEDC629FDD0.867369FB465ED73F5CB495A375FCF294C1F39B8E0D481B33F4F5C4D245E140CD11D9135CBAE646DD5CC168C037EF4D5F6B935A2A32D1103F9A7ADB81AA9101D4

From the output you need to take the entire line “grub.pbkdf2.sha512.10000…………..”.

Now open the file /etc/grub.d/40_custom

sudo gedit /etc/grub.d/40_custom

and add to it:

set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.479775BC85F7B0D174D5...

Since the /etc/grub.d/40_custom file contains a password hash, it is recommended that you prohibit reading and changing it by everyone except the root user:

sudo chmod 711 /etc/grub.d/40_custom

Now open the file /etc/grub.d/10_linux and find the item or menu items that you want to make available for download without a password:

sudo gedit /etc/grub.d/10_linux

For example, in my case, this is the point:

CLASS="--class gnu-linux --class gnu --class os"

Add the --unrestricted option to it to make it this way:

CLASS="--class gnu-linux --class gnu --class os --unrestricted"

Save and close this file.

Now create a new bootloader configuration file:

sudo grub-mkconfig -o /boot/grub/grub.cfg

As a result, the system will boot as before – you do not need to enter a password in the bootloader. But when you try to edit the bootloader options, for example, if you enter “e”, you will be prompted to enter a password. Without entering a password, access to the download options will not be given.

If you press Enter without entering a password, the normal download will continue, the GRUB options will not be changed.

Last Updated on

Recommended for you:

Leave a Reply

Your email address will not be published.