How to password-protect GRUB

Password-protecting the bootloader is one method you may employ to enhance the physical security profile of your computer. GRUB, the GRand Unified Bootloader, is the default bootloader on virtually all Linux distributions, but on a significant number, the installer does not have support for setting a GRUB password. This article presents the step involved in password-enabling GRUB – on a running system.

Before we go through the steps involved in setting a password for GRUB, it’s best to understand why this is even necessary. Principally, we password-enable GRUB to:

  1. Prevent Access To Single User Mode — If an attacker can boot into single user mode, he becomes the root user.
  2. Prevent Access To the GRUB Console — If the machine uses GRUB as its boot loader, an attacker can use the edit the command’s interface to change its configuration or to gather information using the cat command.

If your distribution’s installer has support for setting a GRUB password, the process involved should be similar to the one shown in the image below, which was taken from a similar Fedora 13 tutorial. Just check “Use a boot loader password” and the installer will prompt for a password.

GRUB password

Specifying boot loader password

If your distribution’s installer does not have support for setting a password for GRUB, you can still do it after installation. The process involved in this exercise is the same across distributions. However, for this article, an installation of Fedora 13 was used. Here are the steps involved:

  1. From a shell terminal, run the grub-md5-crypt command. The password that’s requested will be the one that’ll be used to protect GRUB. It should not be the same as that of any user account on the system, certainly not the same as the root password. Note the md5 hash generated. You will need it in the next step.

    GRUB hashGenerate the md5 hash for password-protecting GRUB

  2. Edit /etc/grub.conf as shown in the image. Just add another line below the “timeout” line and type in password –md5 (md5 hash generated from step 1) as shown in the image. Save the file. Reboot and try to access other features of GRUB by pressing the “p” key. Did it work?

    GRUB.conf

  3. Edit grub.conf

Complete this simple process, and you would have taken a small but significant towards enhancing the physical security profile of your computer

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s