One of the best ways to secure your Linux system is by setting a password in GRUB. By having a boot password, no one can boot into your system or access single user mode without supplying a password when the system first turns on.
In this tutorial, we will go through the step by step instructions to set a password in GRUB for boot protection.
In this tutorial you will learn:
- How to set a password in GRUB for boot protection
- Advantages and caveats of setting a GRUB boot password
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Any Linux system |
| Software | GRUB boot loader |
| Other | Privileged access to your Linux system as root or via the sudo command. |
| Conventions |
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
Advantages and caveats of setting a GRUB boot password
Setting a boot password in GRUB is an excellent way to secure your Linux system. However, it is only one part of many things a user must do in order to ensure top security for their computer. Before we dive in to the step by step instructions, take a few of the following points into consideration.
Pros of setting a GRUB boot password:
- Setting a GRUB password is a quick and easy process that will amplify the security of your Linux system.
- A GRUB password will not only prevent unauthorized users from booting into your Linux system, but also prevent them from accessing single user mode. If an attacker can access single user mode, they can reset your root password and login to your system.
Caveats of setting a GRUB boot password:
- Setting a GRUB password will only protect against an attacker that is physically present at your computer. It does not protect it from remote attacks or other threats.
- The attacker would need to boot into your computer in order to be presented with the GRUB password prompt. If the computer is already turned on, even at the operating system’s lock screen, then the GRUB password has already been bypassed and will not protect your computer.
- Setting a GRUB boot password would be a bad idea on systems that are managed remotely. For example, if someone reboots the system via SSH, you will need another user physically present at the computer to supply the GRUB password before the system can boot up again.
- If you ever forget your GRUB password, you will not be able to boot into the operating system again.
How to set a boot password for GRUB step by step instructions
It is recommended that you try these steps on a virtual machine first, as doing one thing wrong could lead to you being permanently locked out of your own system. After you are sure that you understand the process, then it would be time to follow the steps on your production machine.
- Get started by opening a command line terminal and typing the following command to generate a password hash.
$ grub-mkpasswd-pbkdf2
You will be prompted to enter a password twice, and then a hash will be output to your terminal.
Using the grub-mkpasswd-pbkdf2 command in Linux to generate a password hash - Copy the password hash to your clipboard. This includes the part that starts with “grub.” As an example, this is the password hash we have generated on our test system. The syntax of yours should look the same.
grub.pbkdf2.sha512.10000.095DB0192324CCACC86DB81455C7E45B266FA9570CAFE8FC413A4C756F6666A35CD907EB73BE95D2C469CAA9C8FEB0F278365738B1FD7AB96EDFA15D0442D8D7.2EC836CCB165599D63799071B2069D058E5F42FCEC6804ACCD2C7EA6CF722380F1FF4E5191D7B0385152482E829F3FBB44AA626D59CE609092B8150E610C502B
- Next, we will make some edits to the
/etc/grub.d/00_headerGRUB configuration file. Use nano or your preferred text editor to open this file with root privileges.
$ sudo nano /etc/grub.d/00_header
- At the bottom of this file, you will need to paste the following code, while replacing
linuxconfigwith the name of your user account, and replacingINSERT-HASHwith the password hash that you generated earlier.cat << EOF set superusers="linuxconfig" password_pbkdf2 linuxconfig INSERT-HASH EOF
Editing the GRUB configuration file with your user name and password hash - After you have made the change from the previous step, you can exit and save your changes to the GRUB configuration file. After that, execute the
update-grubcommand with root privileges for the GRUB password settings to take effect.$ sudo update-grub
- The only thing to do now is reboot the system and make sure that you are presented with a prompt for your GRUB password.
$ sudo reboot
GRUB boot password prompt
Closing Thoughts
In this tutorial, we saw how to set a GRUB boot password in Linux. Setting a GRUB password will go a long way in protecting your system, but only protects it from attackers that are trying to physically boot into your computer. For traveling laptops with sensitive information, it is a great way to protect the sensitive files from thieves and prying eyes.
