What is GRUB?
GRUB stands for Grand Unified Bootloader is the default bootloader for all linux and Unix like Operating Systems. It was first invented by Sir Erich Stefan Boleyn on year 1995. GRUB2 bootloader is used to load the kernel and then kernel loads the Operating System, In short GRUB is the Module which is used to start the Operating System.
The Versions of GRUB are GRUB and GRUB2 Bootloader and there are some changes are made in latest version of GRUB ( i.e. GRUB2 Bootloader ) like in GRUB the main configuration file was “grub.conf” but in GRUB2 bootloader its “grub.cfg“. In GRUB2 the harddisk number starts with 1 as it was 0 in pervious version of GRUB and So on. RHEL/CentOS 7 comes with GRUB2 Bootloader.
Follow the Steps to Protect the GRUB2 Bootloader with Password :
Step : 1 Generate Encrypted Password
First we have to generate encrypted password using command grub2-mkpasswd-pbkdf2. After execute the command it will ask to enter passsword, So here you enter the password which is you want to set to protect GRUB2 Bootloader.
Note : Below the generated encrypted password is highlighted in blue color.
# grub2-mkpasswd-pbkdf2 # Use this command to Generate Encrypted Password Enter password: Reenter password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.FECBECE234528AAC47780D5B3C2A24E099DA822F6C9432407EE4A0B66EF5A691774C86E21CB6D9C19CFE96353E34475228286E25A6F12A42758B087F18D5D0F9.6C84C084FA82EEB9E9A239B752F76898C2667FB4FAB8F300A12353E1291DDA3D85F664F1CC546DFC17EB1F47765276078C3EA070F1F3B4EDCAB1F9629644CD81
So now we have the encrypted password which we have to set on GRUB2 Bootloader main configuration file which is grub.cfg. But it is Recommended that we should not edit the boot.cfg configuration file directly, So we have to copy the encrypted password on GRUB2 custom menu i.e. 40_custom which is located at /etc/grub.d/. Refer the below output.
# ls /etc/grub.d/ 00_header 10_linux 20_ppc_terminfo 40_custom README 00_tuned 20_linux_xen 30_os-prober 41_custom
Step : 2 Set the Password on GRUB2 main Configuration File
So before edit the 40_custom menu file we recommend you to take a backup using below command.
# cp /etc/grub.d/40_custom /etc/grub.d/40_custom.backup
Now edit the file using below command and enter the lines shown below which is highlighted in blue color.
# nano /etc/grub.d/40_custom # Edit the GRUB Custom Menu
#!/bin/sh exec tail -n +3 $0 # This file provides an easy way to add custom menu entries. Simply type the # menu entries you want to add after this comment. Be careful not to change # the 'exec tail' line above. set superusers="root" password_pbkdf2 root grub.pbkdf2.sha512.10000.FECBECE234528AAC47780D5B3C2A24E099DA822F6C9432407EE4A0B66EF5A691774C86E21CB6D9C19CFE96353E34475228286E25A6F12A42758B087F18D5D0F9.6C84C084FA82EEB9E9A239B752F76898C2667FB4FAB8F300A12353E1291DDA3D85F664F1CC546DFC17EB1F47765276078C3EA070F1F3B4EDCAB1F9629644CD81
Step : 3 Update the grub.cfg File
Now we have to update the grub.cfg file by using grub2-mkconfig command, but before that let’s take the backup of grub.cfg file.
# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.backup
Run the below command to Update the grub.cfg file.
# grub2-mkconfig -o /boot/grub2/grub.cfg Generating grub configuration file ... Found linux image: /boot/vmlinuz-3.10.0-229.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-229.el7.x86_64.img Found linux image: /boot/vmlinuz-0-rescue-7c6e54925d804adcae1a4e795e596226 Found initrd image: /boot/initramfs-0-rescue-7c6e54925d804adcae1a4e795e596226.img done
After update the GRUB2 Bootloader main configuration file the encrypted password will set on grub.cfg file, We can check it by open the file using cat or less command.
As we can see on the snapshot above the password is there on grub.cfg file on the 40_custom Section.
We are done with all required configuration, Now just restart the system to check if GRUB Bootloader is protected with password or not.
# reboot # Restart the System
After restart the system interrupt the normal boot process by pressing SPACE BAR and select the GRUB menu as highlighted in blue color on the snapshot below and then press e to edit the GRUB.
Now it’s asking for Username and Password as shown on the snapshot below, So here just enter the Username as root and Password which we have set on Step : 1.
So after a successful authentication we able to edit the GRUB2 Bootloader as shown on the snapshot below.
This is how we can protect the GRUB2 Bootloader with Password.
If you found this article useful then Like us, Subscribe us, Share the article Or if you have any thing to say then comment on the comment box below the post.