Protecting GRUB with Password on Linux

PowerADM.com / Linux / Debian / Protecting GRUB with Password on Linux

In this article, we’ll look at how to protect the Linux GRUB2 bootloader configuration with a password.

Generate a password hash using the grub-mkpasswd-pbkdf tool (available by default on Ubuntu):

$ grub-mkpasswd-pbkdf2

Enter the password and confirmation, then copy the hash (starts with grub.pbkdf2.sha512…).

grub-mkpasswd-pbkdf2 - generate grup password hash

Edit the grub bootloader config file:

$ sudo nano /etc/grub.d/00_header

Add the following lines at the end of the file:

cat << EOF
set superusers=user_name
password_pbkdf2 user_name password-hash
EOF

protect grub with password

Update bootloader configuration:

$ sudo update-grub

Reboot Linux:

$ reboot

Now, when GRUB starts, a prompt will appear in which you need to enter a username and password. Without entering credentials, Linux will not boot.

grub password at linux boot

Since the /etc/grub.d/00_header file contains a password hash, it is recommended to prevent it from being read and modified by anyone except the root user:

$ sudo chmod 711 /etc/grub.d/00_header

In this mode, the GRUB password will be requested each time Linux boots. If you only want to protect the bootloader configuration from changes, edit the /etc/grub.d/10_linux file:

$ sudo nano /etc/grub.d/10_linux

Find the line:

CLASS="--class gnu-linux --class gnu --class os"

And add the –unrestricted option:

CLASS="--class gnu-linux --class gnu --class os --unrestricted"

Save the file and update the GRUB config:

$ sudo update-grub
Leave a Reply

Your email address will not be published. Required fields are marked *