How To Protect Grub2 Bootloader With Password In Rhel/Centos
In this article, we are going to learn How To Protect Grub2 Bootloader With Password In Rhel/Centos. GRUB stands for Grand Unified Bootloader is the default bootloader for all Linux and Unix Operating Systems. It was first invented by Sir Erich Stefan Boleyn in the year 1995. GRUB2 bootloader is used to load the kernel and then kernel loads the Operating System, In short GRUB is the Module that is used to start the Operating System.
The Versions of GRUB are GRUB and GRUB2 Bootloader and there are some changes are made in the latest version of GRUB ( i.e. GRUB2 Bootloader ) like in GRUB the main configuration file was “grub.conf” but in GRUB2 bootloader its “grub.cfg“. In GRUB2 the harddisk number starts with 1 as it was 0 in the previous version of GRUB and So on. RHEL/CentOS 7 comes with GRUB2 Bootloader.
Follow the Steps to Protect GRUB2 Bootloader with Password In Rhel/Centos :
Step: 1 Generate Encrypted Password
First, we have to generate an encrypted password using the command grub2-mkpasswd-pbkdf2. After executing the command it will ask to enter a password, So here you enter the password which is you want to set to protect GRUB2 Bootloader.
Note: Below the generated encrypted password is highlighted in blue color.
# grub2-mkpasswd-pbkdf2 # Use this command to Generate Encrypted Password Enter password: Reenter password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.FECBECE234528AAC47780D5B3C2A24E099DA822F6C9432407EE4A0B66EF5A691774C86E21CB6D9C19CFE96353E34475228286E25A6F12A42758B087F18D5D0F9.6C84C084FA82EEB9E9A239B752F76898C2667FB4FAB8F300A12353E1291DDA3D85F664F1CC546DFC17EB1F47765276078C3EA070F1F3B4EDCAB1F9629644CD81
So now we have the encrypted password which we have to set on GRUB2 Bootloader main configuration file which is grub.cfg. But it is recommended that we should not edit the boot.cfg configuration files directly, So we have to copy the encrypted password on the GRUB2 custom menu i.e. 40_custom which is located at /etc/grub.d/. Refer to the below output.
# ls /etc/grub.d/ 00_header 10_linux 20_ppc_terminfo 40_custom README 00_tuned 20_linux_xen 30_os-prober 41_custom
Step: 2 Set the Password on GRUB2 main Configuration File
So before edit the 40_custom menu file we recommend you take a backup using the below command.
# cp /etc/grub.d/40_custom /etc/grub.d/40_custom.backup
Now edit the file using the below command and enter the lines shown below which is highlighted in blue color.
# nano /etc/grub.d/40_custom # Edit the GRUB Custom Menu
#!/bin/sh exec tail -n +3 $0 # This file provides an easy way to add custom menu entries. Simply type the # menu entries you want to add after this comment. Be careful not to change # the 'exec tail' line above. set superusers="root" password_pbkdf2 root grub.pbkdf2.sha512.10000.FECBECE234528AAC47780D5B3C2A24E099DA822F6C9432407EE4A0B66EF5A691774C86E21CB6D9C19CFE96353E34475228286E25A6F12A42758B087F18D5D0F9.6C84C084FA82EEB9E9A239B752F76898C2667FB4FAB8F300A12353E1291DDA3D85F664F1CC546DFC17EB1F47765276078C3EA070F1F3B4EDCAB1F9629644CD81
Step : 3 Update the grub.cfg File
Now we have to update the grub.cfg file by using grub2-mkconfig command, but before that let’s take the backup of grub.cfg file.
# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.backup
Run the below command to update the grub.cfg file.
# grub2-mkconfig -o /boot/grub2/grub.cfg Generating grub configuration file ... Found linux image: /boot/vmlinuz-3.10.0-229.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-229.el7.x86_64.img Found linux image: /boot/vmlinuz-0-rescue-7c6e54925d804adcae1a4e795e596226 Found initrd image: /boot/initramfs-0-rescue-7c6e54925d804adcae1a4e795e596226.img done
After the update the GRUB2 Bootloader main configuration file the encrypted password will set on grub.cfg file, We can check it by open the file using cat or less command.
As we can see on the snapshot above the password is there on grub.cfg file on the 40_custom Section.
We are done with all required configuration, Now just restart the system to check if GRUB Bootloader is protected with a password or not.
# reboot # Restart the System
After the restart, the system interrupts the normal boot process by pressing the SPACE BAR and select the GRUB menu as highlighted in blue color on the snapshot below and then press e to edit the GRUB.
Now it’s asking for Username and Password as shown on the snapshot below, So here just enter the username as root and Password which we have set on Step: 1.
So after a successful authentication we able to edit the GRUB2 Bootloader as shown on the snapshot below.
That’s all, In this article, we have explained How To Protect Grub2 Bootloader With Password In Rhel/Centos. I hope you enjoy this article. If you like this article, then just share it. If you have any questions about this article, please comment.