How To Protect Grub2 Bootloader With Password In Rhel/Centos 7

What is GRUB?

GRUB stands for Grand Unified Bootloader is the default bootloader for all linux and Unix like Operating Systems. It was first invented by Sir Erich Stefan Boleyn on year 1995. GRUB2 bootloader is used to load the kernel and then kernel loads the Operating System, In short GRUB is the Module which is used to start the Operating System.

The Versions of GRUB are GRUB and GRUB2 Bootloader and there are some changes are made in latest version of GRUB ( i.e. GRUB2 Bootloader ) like in GRUB the main configuration file was “grub.conf” but in GRUB2 bootloader its “grub.cfg“. In GRUB2 the harddisk number starts with 1 as it was 0 in pervious version of GRUB and So on. RHEL/CentOS 7 comes with GRUB2 Bootloader.

Follow the Steps to Protect the GRUB2 Bootloader with Password :

Step : 1 Generate Encrypted Password

First we have to generate encrypted password using command grub2-mkpasswd-pbkdf2. After execute the command it will ask to  enter passsword, So here you enter the password which is you want to set to protect GRUB2 Bootloader.

Note : Below the generated encrypted password is highlighted in blue color.

# grub2-mkpasswd-pbkdf2     # Use this command to Generate Encrypted Password
Enter password:
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.FECBECE234528AAC47780D5B3C2A24E099DA822F6C9432407EE4A0B66EF5A691774C86E21CB6D9C19CFE96353E34475228286E25A6F12A42758B087F18D5D0F9.6C84C084FA82EEB9E9A239B752F76898C2667FB4FAB8F300A12353E1291DDA3D85F664F1CC546DFC17EB1F47765276078C3EA070F1F3B4EDCAB1F9629644CD81

So now we have the encrypted password which we have to set on GRUB2 Bootloader main configuration file which is grub.cfg. But it is Recommended that we should not edit the boot.cfg configuration file directly, So we have to copy the encrypted password on GRUB2 custom menu i.e. 40_custom which is located at /etc/grub.d/. Refer the below output.

# ls /etc/grub.d/
00_header  10_linux      20_ppc_terminfo  40_custom  README
00_tuned   20_linux_xen  30_os-prober     41_custom

Step : 2 Set the Password on GRUB2 main Configuration File

So before edit the 40_custom menu file we recommend you to take a backup using below command.

# cp /etc/grub.d/40_custom /etc/grub.d/40_custom.backup

Now edit the file using below command and enter the lines shown below which is highlighted in blue color.

# nano /etc/grub.d/40_custom   # Edit the GRUB Custom Menu
#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.

set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.FECBECE234528AAC47780D5B3C2A24E099DA822F6C9432407EE4A0B66EF5A691774C86E21CB6D9C19CFE96353E34475228286E25A6F12A42758B087F18D5D0F9.6C84C084FA82EEB9E9A239B752F76898C2667FB4FAB8F300A12353E1291DDA3D85F664F1CC546DFC17EB1F47765276078C3EA070F1F3B4EDCAB1F9629644CD81

Step : 3 Update the grub.cfg File

Now we have to update the grub.cfg file by using grub2-mkconfig command, but before that let’s take the backup of grub.cfg file.

# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.backup

Run the below command to Update the grub.cfg file.

# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-229.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-229.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-7c6e54925d804adcae1a4e795e596226
Found initrd image: /boot/initramfs-0-rescue-7c6e54925d804adcae1a4e795e596226.img
done

After update the GRUB2 Bootloader main configuration file the encrypted password will set on grub.cfg file, We can check it by open the file using cat or less command.

Checking the encrypted Password in grub.cfg file

As we can see on the snapshot above the password is there on grub.cfg file on the 40_custom Section.

We are done with all required configuration, Now just restart the system to check if GRUB Bootloader is protected with password or not.

# reboot   # Restart the System

After restart the system interrupt the normal boot process by pressing SPACE BAR and select the GRUB menu as highlighted in blue color on the snapshot below and then press e to edit the GRUB.

Now it’s asking for Username and Password as shown on the snapshot below, So here just enter the Username as root and Password which we have set on Step : 1.

So after a successful authentication we able to edit the GRUB2 Bootloader as shown on the snapshot below.

This is how we can protect the GRUB2 Bootloader with Password.

If you found this article useful then Like us, Subscribe us, Share the article Or if you have any thing to say then comment on the comment box below the post.

Fuente: http://www.elinuxbook.com/how-to-protect-grub2-bootloader-with-password-in-linux/