GRUB is the 3rd stage in the Linux Boot Process that we discussed earlier.
Grub security features allows you to set a password to the grub entries. Once you set a password, you cannot edit any grub entries, or pass arguments to the kernel from the grub command line without entering the password.
It is highly recommended to set GRUB password on any critical production systems as explained in the article.
On a system where GRUB is not secured with the password, the following message will be displayed right under the GRUB menu during the system startup.
"
Press enter to boot the selected OS,
'e' to edit the commands before booting,
'a' to modify the kernel arguments before booting, or
'c' for a command-line
"
As you see from this message, anybody who is in front of the console rebooting the server, can edit the grub commands, or even modify the kernel arguments, which probably will cause problems, if someone who doesn’t know what they are doing, plays around with this on production systems.
Enter the Password command in grub.conf
/boot/grub/grub.conf contains information about the entries that are displayed in the GRUB menu during system startup. On some systems, /etc/grub.conf is a symbolic link to /boot/grub/grub.conf.
Add the following “password” line to the grub.conf file
"
$ cat /etc/grub.conf
default=0
timeout=15
password GrbPwd4SysAd$
..
"
Once the “password” command is added to the grub.conf, the following message will be displayed right under the GRUB menu during the system startup.
"
Press enter to boot the selected OS or
'p' to enter a password to unlock the next set of features.
"
Encrypt password using grub-crypt
You can use grub-crypt utility to create an encrypted password.
"
# grub-crypt
Password: GrbPwd4SysAd$
Retype password: GrbPwd4SysAd$
^9^32kwzzX./3WISQ0C
"
Modify the grub.conf file, add the “password” entry with the –encrypted argument as shown below.
"
$ cat /etc/grub.conf
default=0
timeout=15
password --encrypted ^9^32kwzzX./3WISQ0C
..
"
By default, the grub-crypt command encrypts the password using SHA-512 algorithm. You can also
encrypt the password either using SHA-256 or MD5 alrogithms as shown below.
"
# grub-crypt –sha-256
# grub-crypt –md5
"
You can also use md5crypt to encrypt the password. In that case, you should use “password –md5 encrypted-password” in your grub.conf file.