Thursday, 2 September 2021

How to Set GRUB Bootloader Password in Linux Server

How to Set GRUB Password in Linux Server

This article shows you how to set a password for GRUB Bootloader on Linux server.


Table of Contents:


What is GRUB? :

GRUB stands for Grand Unified Bootloader. It is the preferred bootloader for many Linux distros.

GRUB is a boot loader package from the GNU Project. It is the reference implementation of the Free Software Foundation's Multiboot Specification, which provides a user the choice to boot one of multiple operating systems installed on a computer or select a specific kernel configuration available on a particular operating system's partitions.



Why Set Password on GRUB? :

You may be aware that, if a person has physical access to your Linux server. It can easily reset the superuser (root) password by booting your Linux operating system into Single user mode.

For this purpose, one can easily edit the Kernel command in GRUB menu.

Therefore, it is a best practice to put a strong password on GRUB. So, whenever a user try to edit the menu entries, he has to provide a valid login/password.

Let's see how we can set GRUB password on Linux Server. There are two ways to this.


The Simple Method:

In some Linux distros such as Rocky Linux, RHEL or CentOS 8. GRUB bootloader is shipped with a handy command to set a password for boot menu.

This command sets a password for the default root user. Execute it now and set a strong password.

# grub2-setpassword
Enter password:
Confirm password:

Reboot your Linux server to verify the new settings.


Press 'e' to edit the menu entries.


The GRUB is now asking for a login credentials. Enter the correct login/password.


After providing valid credentials, you can now edit your GRUB menu commands.

Similarly, if you want to remove GRUB password, that was set by using the grub2-password command. You have to simply delete the following file.

# rm -f /boot/grub2/user.cfg
# rm -f /boot/efi/EFI/redhat/user.cfg

For a BIOS based system the user.cfg file is located in /boot/grub2/ directory, whereas on an UEFI based system, you may find it within /boot/efi/EFI/redhat/ directory.

Therefore, it is safe to delete it from both locations.


The Advance Method:

If you want to create multiple login credentials for GRUB menu then the simple method won't work for you.

Therefore, you have to use the following method to set passwords on boot menu. and this method works on all Linux distros that are using GRUB bootloader.

Execute the following command to generate password hashes for your users.

# grub2-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.6CE9F4DAF8A6BB2823882EEF3A6CF1792523E4785BD891BF61597DE59BAEBF50787642196FDDC018258C7C00FBC105FAD3F7437936DCD0C72F925A101BADE2CE.EBD8D141809B5793651F198C91560FAB2A522683FB9E4BC95BE961D19A6A3E8F46225B7CF68A7F79BAAB19E99500FA6DC7CC6DB331026733670722D9FD40FDD4

# grub2-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.751F468CC621AF04393BD80D4C1B4C8D5D5B990A9CF6E2AEB7B1424ECE4ED2C4C9FD47FFE33156C11EADA59EFC7B16DBBED3F3A368468DC0A1FDEAEDEC2AB43D.37D24383BB42E891068090A0EF6E60B43F1C800F9A82F88179F7535343EEBAD08326BD1CBD3337ED5E712291B3DBDBB2341DF58E8F012F3D7E7CD10DE4F0B1A4

Edit /etc/grub.d/00_header by using your favorite text editor.

# vi /etc/grub.d/00_header

Add following lines of code at the end of this file.

cat << EOF
set superusers="grubadmin,gruboper"
password_pbkdf2 grubadmin grub.pbkdf2.sha512.10000.6CE9F4DAF8A6BB2823882EEF3A6CF1792523E4785BD891BF61597DE59BAEBF50787642196FDDC018258C7C00FBC105FAD3F7437936DCD0C72F925A101BADE2CE.EBD8D141809B5793651F198C91560FAB2A522683FB9E4BC95BE961D19A6A3E8F46225B7CF68A7F79BAAB19E99500FA6DC7CC6DB331026733670722D9FD40FDD4
password_pbkdf2 gruboper grub.pbkdf2.sha512.10000.751F468CC621AF04393BD80D4C1B4C8D5D5B990A9CF6E2AEB7B1424ECE4ED2C4C9FD47FFE33156C11EADA59EFC7B16DBBED3F3A368468DC0A1FDEAEDEC2AB43D.37D24383BB42E891068090A0EF6E60B43F1C800F9A82F88179F7535343EEBAD08326BD1CBD3337ED5E712291B3DBDBB2341DF58E8F012F3D7E7CD10DE4F0B1A4

Rebuild GRUB configuration file by executing following command.

# grub2-mkconfig > /boot/grub2/grub.cfg
Generating grub configuration file ...

Above command may not be available on some Linux distros such as Debian, where you can alternatively execute following command.

# update-grub

Similarly, if you want to remove the password from boot menu, you can remove this code from /etc/grub.d/00_header and regenerate the GRUB configurations.


An Additional Tip:

Here, GRUB bootloader will ask for a login credential when user try to edit the menu. However, in some situations you may be required to set a password whenever you try to start your Linux operating system.

Edit /etc/grub.d/10_linux in your favorite text editor.

# vi /etc/grub.d/10_linux

Find following line in this file.

CLASS="--class gnu-linux --class gnu --class os --unrestricted"

And remove the --unrestricted option.

CLASS="--class gnu-linux --class gnu --class os"

Regenerate GRUB configuration file and reboot.


Now, GRUB will ask you for a password if you try to boot your Linux operating system.

Beware that, if you forget this password, then you have to recover GRUB bootloader.



In this article, you have learned about setting a password for GRUB bootloader in your Linux server.

If you find this article useful? Consider supporting us by Buy Me A Coffee

No comments:

Post a Comment

© 2022 CentLinux. All Rights Reserved.