Tech Junkie Blog - Real World Tutorials, Happy Coding!: Linux System Administration GRUB2: Password Protect GRUB2

Monday, February 14, 2022

Linux System Administration GRUB2: Password Protect GRUB2

 From the past few posts you can see that GRUB2 is a very powerful utility in Linux.  It's so powerful that you can create and change the root password.  One way to prevent unauthorized access to this feature is to password protect it and encrypt the password as well.

Here are the steps to password protect GRUB2:

1. Make a copy of the file /etc/grub.d/01_users with the command cp /etc/grub.d/01_users . in the terminal

2. Go into the grub.d directory with the command cd /etc/grub.d

3. Now you want to edit the 01_users file with the command vi 01_users




4. The file should look something like this, by looking at the file you can see that it's currently using the root encrypted root password for authentication.  What we want to do is use a user that's not in the system to control access to GRUB2.

#!/bin/sh -e
cat << EOF
if [ -f \${prefix}/user.cfg ]; then
  source \${prefix}/user.cfg
  if [ -n "\${GRUB2_PASSWORD}" ]; then
    set superusers="root"
    export superusers
    password_pbkdf2 root \${GRUB2_PASSWORD}
  fi
fi
EOF

Here is what the file will look like with the new user

#!/bin/sh -e
cat << EOF
    set superusers="johndoe"
    password johndoe Topsecret1!
EOF

Save the file with esc then :x enter

5. The next step is we have to regenerate our configuration file with this command grub2-mkconfig -o /boot/grub2/grub.cfg

If you get this error message 

/etc/default/grub: line 7: unexpected EOF while looking for matching `"'

that means your /etc/default/grub file is missing a double quote, this might be a bug in the Linux OS, some people don't seem to have this issue. So the solution is to edit the file and add a quote to the second to last line












6. Now if you press e at the GRUB menu you will  be prompted a username and password, you can authenticate by typing in the username and password you just specified




After typing in the username you will have access to functions for system administrations, just type Ctrl+x to go through the normal boot process












7.  That's great and all but the password is stored in clear text and a someone can just look at the file to figure out what the password is.  To encrypt the password type in the command grub2-mkpasswd-pbkdf2 to get the encrypted password.  Copy the encrypted password into the clipboard





8. Go into the grub.d folder with the command cd /etc/grub.d/ and edit the 01_users command again to change the password to an encrypted password, the file should look like this

#!/bin/sh -e
cat << EOF
    set superusers="johndoe"
    password_pbkbf2 johndoe grub.pbkdf2.sha512.10000.D923C3338B8C00DEA2546724EF33CD91B37DB0B52502148B387ACDFDA2A3628777A8D68ADD009044E6A590E59EECEE5B243D594EC11ED25EF502227EBA425FDC.CEB89F60CE9826B57A116B7049CB2F9C359BF0793B9AB210E75E394A503EFAB8C9C56EF4C2CF7BB7A55E267C938D578AED9D26ABEC3677E92EE4203128558BE4
EOF

Obviously your encryption string will be different depending on your password, save the file by typing esc, :x.

9.  Regenerate the grub.cfg file with the command grub2-mkconfig -o /boot/grub2/grub.cfg

10.  Now when you are confronted with the password prompt at the GRUB menu you can type in the password as you were before but now it's encrypted

3 comments:

  1. Hey. All the posts are very informative for the people who visit this site. Good work. We also have a Blog.

    Please feel free to visit our site.
    Best printer Blogs


    Thank You

    ReplyDelete
  2. Very nice post and impressive. Please keep continue like this. Please visit our site to know about WhatsJobs: https://en-ca.whatjobs.com/jobs/territory-sales-representative
    There are 104 Territory sales representative jobs advertised on WhatJobs in February 2022. Apply online today and set up job alerts to get the latest jobs by email direct to your inbox.

    ReplyDelete

Search This Blog