This article shows you how to set GRUB Password in Linux server. #centlinux #linux #grub
Table of Contents
What is GRUB? :
GRUB stands for Grand Unified Bootloader. It is the preferred bootloader for many Linux distros.
GRUB is a boot loader package from the GNU Project. It is the reference implementation of the Free Software Foundation’s Multiboot Specification, which provides a user the choice to boot one of multiple operating systems installed on a computer or select a specific kernel configuration available on a particular operating system’s partitions.
Why set GRUB Password? :
You may be aware that, if a person has physical access to your Linux server. It can easily reset the superuser (root) password by booting your Linux operating system into Single user mode.
For this purpose, one can easily edit the Kernel command in GRUB menu.
Therefore, it is a best practice to put a strong password on GRUB. So, whenever a user try to edit the menu entries, he has to provide a valid login/password.
Let’s see how we can set GRUB password on Linux Server. There are two ways to this.
Video to set GRUB Password in Linux:
The Simple Method:
In some Linux distros such as Rocky Linux, RHEL or CentOS 8. GRUB bootloader is shipped with a handy command to set a password for boot menu.
This command sets a password for the default root user. Execute it now and set a strong password.
# grub2-setpassword Enter password: Confirm password:
Reboot your Linux server to verify the new settings.
Press ‘e’ to edit the menu entries.
The GRUB is now asking for a login credentials. Enter the correct login/password.
After providing valid credentials, you can now edit your GRUB menu commands.
Similarly, if you want to remove GRUB password, that was set by using the grub2-password command. You have to simply delete the following file.
# rm -f /boot/grub2/user.cfg # rm -f /boot/efi/EFI/redhat/user.cfg
For a BIOS based system the user.cfg file is located in /boot/grub2/ directory, whereas on an UEFI based system, you may find it within /boot/efi/EFI/redhat/ directory.
Therefore, it is safe to delete it from both locations.
The Advance Method:
If you want to create multiple login credentials for GRUB menu then the simple method won’t work for you.
Therefore, you have to use the following method to set passwords on boot menu. and this method works on all Linux distros that are using GRUB bootloader.
Execute the following command to generate password hashes for your users.
# grub2-mkpasswd-pbkdf2 Enter password: Reenter password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.6CE9F4DAF8A6BB2823882EEF3A6CF1792523E4785BD891BF61597DE59BAEBF50787642196FDDC018258C7C00FBC105FAD3F7437936DCD0C72F925A101BADE2CE.EBD8D141809B5793651F198C91560FAB2A522683FB9E4BC95BE961D19A6A3E8F46225B7CF68A7F79BAAB19E99500FA6DC7CC6DB331026733670722D9FD40FDD4 # grub2-mkpasswd-pbkdf2 Enter password: Reenter password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.751F468CC621AF04393BD80D4C1B4C8D5D5B990A9CF6E2AEB7B1424ECE4ED2C4C9FD47FFE33156C11EADA59EFC7B16DBBED3F3A368468DC0A1FDEAEDEC2AB43D.37D24383BB42E891068090A0EF6E60B43F1C800F9A82F88179F7535343EEBAD08326BD1CBD3337ED5E712291B3DBDBB2341DF58E8F012F3D7E7CD10DE4F0B1A4
Edit /etc/grub.d/00_header by using your favorite text editor.
# vi /etc/grub.d/00_header
Add following lines of code at the end of this file.
cat << EOF set superusers="grubadmin,gruboper" password_pbkdf2 grubadmin grub.pbkdf2.sha512.10000.6CE9F4DAF8A6BB2823882EEF3A6CF1792523E4785BD891BF61597DE59BAEBF50787642196FDDC018258C7C00FBC105FAD3F7437936DCD0C72F925A101BADE2CE.EBD8D141809B5793651F198C91560FAB2A522683FB9E4BC95BE961D19A6A3E8F46225B7CF68A7F79BAAB19E99500FA6DC7CC6DB331026733670722D9FD40FDD4 password_pbkdf2 gruboper grub.pbkdf2.sha512.10000.751F468CC621AF04393BD80D4C1B4C8D5D5B990A9CF6E2AEB7B1424ECE4ED2C4C9FD47FFE33156C11EADA59EFC7B16DBBED3F3A368468DC0A1FDEAEDEC2AB43D.37D24383BB42E891068090A0EF6E60B43F1C800F9A82F88179F7535343EEBAD08326BD1CBD3337ED5E712291B3DBDBB2341DF58E8F012F3D7E7CD10DE4F0B1A4 EOF
Rebuild GRUB configuration file by executing following command.
# grub2-mkconfig > /boot/grub2/grub.cfg Generating grub configuration file ... done
Above command may not be available on some Linux distros such as Debian, where you can alternatively execute following command.
Similarly, if you want to remove the password from boot menu, you can remove this code from /etc/grub.d/00_header and regenerate the GRUB configurations.
A Bonus Tip:
Here, GRUB bootloader will ask for a login credential when user try to edit the menu. However, in some situations you may be required to set a password whenever you try to start your Linux operating system.
Edit /etc/grub.d/10_linux in your favorite text editor.
# vi /etc/grub.d/10_linux
Find following line in this file.
CLASS="--class gnu-linux --class gnu --class os --unrestricted"
And remove the –unrestricted option.
CLASS="--class gnu-linux --class gnu --class os"
Regenerate GRUB configuration file and reboot.
Now, GRUB will ask you for a password if you try to boot your Linux operating system.
Beware that, if you forget this password, then you have to recover GRUB bootloader.
In this article, you have learned how to set GRUB password in Linux server.