How to set GRUB Password in Linux

Share on Social Media

Learn how to set GRUB password in Linux to enhance your system’s security. Follow our step-by-step guide to protect your boot loader and prevent unauthorized access to boot settings. #centlinux #linux #grub

What is GRUB?

GRUB stands for Grand Unified Bootloader. It is the preferred bootloader for many Linux distros.

GRUB is a boot loader package from the GNU Project. It is the reference implementation of the Free Software Foundation’s Multiboot Specification, which provides a user the choice to boot one of multiple operating systems installed on a computer or select a specific kernel configuration available on a particular operating system’s partitions.

Why set GRUB Password?

You may be aware that, if a person has physical access to your Linux server. It can easily reset the superuser (root) password by booting your Linux OS into Single user mode.

For this purpose, one can easily edit the Kernel command in GRUB menu.

Therefore, it is a best practice to put a strong password on GRUB. So, whenever a user try to edit the menu entries, he has to provide a valid login/password.

Let’s see how we can set GRUB password on Linux Server. There are two ways to this.

Recommended Online Training: Learn Bash Shell in Linux for Beginners

745772 0021

The Simple Method

In some Linux distros such as Rocky Linux, RHEL or CentOS 8. GRUB bootloader is shipped with a handy command to set a password for boot menu.

This command sets a password for the default root user. Execute it now and set a strong password.

# grub2-setpassword
Enter password:
Confirm password:

Reboot your Linux server to verify the new settings.

GRUB Menu
GRUB Menu

Press ‘e’ to edit the menu entries.

GRUB Login
GRUB Login

The GRUB is now asking for a login credentials. Enter the correct login/password.

Edit GRUB Menu
Edit GRUB Menu

After providing valid credentials, you can now edit your GRUB menu commands.

Similarly, if you want to remove GRUB password, that was set by using the grub2-password command. You have to simply delete the following file.

# rm -f /boot/grub2/user.cfg
# rm -f /boot/efi/EFI/redhat/user.cfg

For a BIOS based system the user.cfg file is located in /boot/grub2/ directory, whereas on an UEFI based system, you may find it within /boot/efi/EFI/redhat/ directory.

Therefore, it is safe to delete it from both locations.

The Advance Method

If you want to create multiple login credentials for GRUB menu then the simple method won’t work for you.

Therefore, you have to use the following method to set passwords on boot menu. and this method works on all Linux distros that are using GRUB bootloader.

Execute the following command to generate password hashes for your users.

# grub2-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.6CE9F4DAF8A6BB2823882EEF3A6CF1792523E4785BD891BF61597DE59BAEBF50787642196FDDC018258C7C00FBC105FAD3F7437936DCD0C72F925A101BADE2CE.EBD8D141809B5793651F198C91560FAB2A522683FB9E4BC95BE961D19A6A3E8F46225B7CF68A7F79BAAB19E99500FA6DC7CC6DB331026733670722D9FD40FDD4

# grub2-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.751F468CC621AF04393BD80D4C1B4C8D5D5B990A9CF6E2AEB7B1424ECE4ED2C4C9FD47FFE33156C11EADA59EFC7B16DBBED3F3A368468DC0A1FDEAEDEC2AB43D.37D24383BB42E891068090A0EF6E60B43F1C800F9A82F88179F7535343EEBAD08326BD1CBD3337ED5E712291B3DBDBB2341DF58E8F012F3D7E7CD10DE4F0B1A4

Edit /etc/grub.d/00_header by using your favorite text editor.

# vi /etc/grub.d/00_header

Add following lines of code at the end of this file.

cat << EOF
set superusers="grubadmin,gruboper"
password_pbkdf2 grubadmin grub.pbkdf2.sha512.10000.6CE9F4DAF8A6BB2823882EEF3A6CF1792523E4785BD891BF61597DE59BAEBF50787642196FDDC018258C7C00FBC105FAD3F7437936DCD0C72F925A101BADE2CE.EBD8D141809B5793651F198C91560FAB2A522683FB9E4BC95BE961D19A6A3E8F46225B7CF68A7F79BAAB19E99500FA6DC7CC6DB331026733670722D9FD40FDD4
password_pbkdf2 gruboper grub.pbkdf2.sha512.10000.751F468CC621AF04393BD80D4C1B4C8D5D5B990A9CF6E2AEB7B1424ECE4ED2C4C9FD47FFE33156C11EADA59EFC7B16DBBED3F3A368468DC0A1FDEAEDEC2AB43D.37D24383BB42E891068090A0EF6E60B43F1C800F9A82F88179F7535343EEBAD08326BD1CBD3337ED5E712291B3DBDBB2341DF58E8F012F3D7E7CD10DE4F0B1A4
EOF

Rebuild GRUB configuration file by executing following command.

# grub2-mkconfig > /boot/grub2/grub.cfg
Generating grub configuration file ...
done

Above command may not be available on some Linux distros such as Debian, where you can alternatively execute following command.

# update-grub

Similarly, if you want to remove the password from boot menu, you can remove this code from /etc/grub.d/00_header and regenerate the GRUB configurations.

A Bonus Tip: GRUB Boot Loader

Here, GRUB bootloader will ask for a login credential when user try to edit the menu. However, in some situations you may be required to set a password whenever you try to start your Linux OS.

Edit /etc/grub.d/10_linux in your favorite text editor.

# vi /etc/grub.d/10_linux

Find following line in this file.

CLASS="--class gnu-linux --class gnu --class os --unrestricted"

And remove the –unrestricted option.

CLASS="--class gnu-linux --class gnu --class os"

Regenerate GRUB configuration file and reboot.

GRUB Login
GRUB Login

Now, GRUB will ask you for a password if you try to boot your Linux OS.

Beware that, if you forget this password, then you have to recover GRUB bootloader.

If you are new to Linux and facing difficulty in working at Linux Bash prompt. We recommend that, you should read The Linux Command Line, 2nd Edition: A Complete Introduction by William Shotts.

Video Tutorial: How to set GRUB Password in Linux

YouTube player

Final Thoughts

Setting a GRUB password in Linux is a crucial step to enhance your system’s security by preventing unauthorized access to boot settings. By following this guide, you can protect your boot loader and ensure that only authorized users can make changes. If you need personalized assistance or encounter any issues while setting up your GRUB password, I offer professional services on Fiverr. Check out my Fiverr gig for expert help with configuring GRUB and other Linux security measures.

Leave a Comment