One of the best ways to secure your Linux system is by setting a password in GRUB. By having a boot password, no one can boot into your system or access single user mode without supplying a password when the system first turns on.
In this tutorial, we will go through the step by step instructions to set a password in GRUB for boot protection.
In this tutorial you will learn:
How to set a password in GRUB for boot protection
Advantages and caveats of setting a GRUB boot password
Privileged access to your Linux system as root or via the sudo command.
Conventions
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command $ – requires given linux commands to be executed as a regular non-privileged user
Advantages and caveats of setting a GRUB boot password
Setting a boot password in GRUB is an excellent way to secure your Linux system. However, it is only one part of many things a user must do in order to ensure top security for their computer. Before we dive in to the step by step instructions, take a few of the following points into consideration.
Pros of setting a GRUB boot password:
Setting a GRUB password is a quick and easy process that will amplify the security of your Linux system.
A GRUB password will not only prevent unauthorized users from booting into your Linux system, but also prevent them from accessing single user mode. If an attacker can access single user mode, they can reset your root password and login to your system.
Caveats of setting a GRUB boot password:
Setting a GRUB password will only protect against an attacker that is physically present at your computer. It does not protect it from remote attacks or other threats.
The attacker would need to boot into your computer in order to be presented with the GRUB password prompt. If the computer is already turned on, even at the operating system’s lock screen, then the GRUB password has already been bypassed and will not protect your computer.
Setting a GRUB boot password would be a bad idea on systems that are managed remotely. For example, if someone reboots the system via SSH, you will need another user physically present at the computer to supply the GRUB password before the system can boot up again.
If you ever forget your GRUB password, you will not be able to boot into the operating system again.
How to set a boot password for GRUB step by step instructions
Get started by opening a command line terminal and typing the following command to generate a password hash.
$ grub-mkpasswd-pbkdf2
You will be prompted to enter a password twice, and then a hash will be output to your terminal.
Copy the password hash to your clipboard. This includes the part that starts with “grub.” As an example, this is the password hash we have generated on our test system. The syntax of yours should look the same.
Next, we will make some edits to the /etc/grub.d/00_header GRUB configuration file. Use nano or your preferred text editor to open this file with root privileges.
$ sudo nano /etc/grub.d/00_header
At the bottom of this file, you will need to paste the following code, while replacing linuxconfig with the name of your user account, and replacing INSERT-HASH with the password hash that you generated earlier.
cat << EOF
set superusers="linuxconfig"
password_pbkdf2 linuxconfig INSERT-HASH
EOF
After you have made the change from the previous step, you can exit and save your changes to the GRUB configuration file. After that, execute the update-grub command with root privileges for the GRUB password settings to take effect.
$ sudo update-grub
The only thing to do now is reboot the system and make sure that you are presented with a prompt for your GRUB password.
In this tutorial, we saw how to set a GRUB boot password in Linux. Setting a GRUB password will go a long way in protecting your system, but only protects it from attackers that are trying to physically boot into your computer. For traveling laptops with sensitive information, it is a great way to protect the sensitive files from thieves and prying eyes.
