How To Protect Grub2 Bootloader With Password In Rhel/Centos

In this article, we are going to learn How To Protect Grub2 Bootloader With Password In Rhel/Centos. GRUB stands for Grand Unified Bootloader is the default bootloader for all Linux and Unix like Operating Systems. It was first invented by Sir Erich Stefan Boleyn in the year 1995. GRUB2 bootloader is used to load the kernel and then kernel loads the Operating System, In short GRUB is the Module that is used to start the Operating System.

The Versions of GRUB are GRUB and GRUB2 Bootloader and there are some changes are made in the latest version of GRUB ( i.e. GRUB2 Bootloader ) like in GRUB the main configuration file was “grub.conf” but in GRUB2 bootloader its “grub.cfg“. In GRUB2 the harddisk number starts with 1 as it was 0 in the previous version of GRUB and So on. RHEL/CentOS 7 comes with GRUB2 Bootloader.

How To Protect Grub2 Bootloader With Password In Rhel/Centos

Follow the Steps to Protect GRUB2 Bootloader with Password In Rhel/Centos :

Step: 1 Generate Encrypted Password

First, we have to generate an encrypted password using command grub2-mkpasswd-pbkdf2. After executing the command it will ask to enter a password, So here you enter the password which is you want to set to protect GRUB2 Bootloader.

Note: Below the generated encrypted password is highlighted in blue color.

# grub2-mkpasswd-pbkdf2     # Use this command to Generate Encrypted Password
Enter password:
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.FECBECE234528AAC47780D5B3C2A24E099DA822F6C9432407EE4A0B66EF5A691774C86E21CB6D9C19CFE96353E34475228286E25A6F12A42758B087F18D5D0F9.6C84C084FA82EEB9E9A239B752F76898C2667FB4FAB8F300A12353E1291DDA3D85F664F1CC546DFC17EB1F47765276078C3EA070F1F3B4EDCAB1F9629644CD81

So now we have the encrypted password which we have to set on GRUB2 Bootloader main configuration file which is grub.cfg. But it is recommended that we should not edit the boot.cfg configuration file directly, So we have to copy the encrypted password on the GRUB2 custom menu i.e. 40_custom which is located at /etc/grub.d/. Refer to the below output.

# ls /etc/grub.d/
00_header  10_linux      20_ppc_terminfo  40_custom  README
00_tuned   20_linux_xen  30_os-prober     41_custom

Step: 2 Set the Password on GRUB2 main Configuration File

So before edit the 40_custom menu file we recommend you take a backup using the below command.

# cp /etc/grub.d/40_custom /etc/grub.d/40_custom.backup

Now edit the file using the below command and enter the lines shown below which is highlighted in blue color.

# nano /etc/grub.d/40_custom   # Edit the GRUB Custom Menu
#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.

set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.FECBECE234528AAC47780D5B3C2A24E099DA822F6C9432407EE4A0B66EF5A691774C86E21CB6D9C19CFE96353E34475228286E25A6F12A42758B087F18D5D0F9.6C84C084FA82EEB9E9A239B752F76898C2667FB4FAB8F300A12353E1291DDA3D85F664F1CC546DFC17EB1F47765276078C3EA070F1F3B4EDCAB1F9629644CD81

Step : 3 Update the grub.cfg File

Now we have to update the grub.cfg file by using grub2-mkconfig command, but before that let’s take the backup of grub.cfg file.

# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.backup

Run the below command to update the grub.cfg file.

# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-229.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-229.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-7c6e54925d804adcae1a4e795e596226
Found initrd image: /boot/initramfs-0-rescue-7c6e54925d804adcae1a4e795e596226.img
done

After update the GRUB2 Bootloader main configuration file the encrypted password will set on grub.cfg file, We can check it by open the file using cat or less command.

How To Protect Grub2 Bootloader With Password In Rhel/Centos

Checking the encrypted Password in grub.cfg file

As we can see on the snapshot above the password is there on grub.cfg file on the 40_custom Section.

We are done with all required configuration, Now just restart the system to check if GRUB Bootloader is protected with a password or not.

# reboot   # Restart the System

After the restart, the system interrupts the normal boot process by pressing the SPACE BAR and select the GRUB menu as highlighted in blue color on the snapshot below and then press e to edit the GRUB.

How To Protect Grub2 Bootloader With Password In Rhel/Centos

Edit the GRUB Menu

Now it’s asking for Username and Password as shown on the snapshot below, So here just enter the username as root and Password which we have set on Step: 1.

How To Protect Grub2 Bootloader With Password In Rhel/Centos

Enter Password to Edit the GRUB2

So after a successful authentication we able to edit the GRUB2 Bootloader as shown on the snapshot below.

How To Protect Grub2 Bootloader With Password In Rhel/Centos

GRUB2 Edited after Authentication

Also Read – How to Configure Basic Authentication in Apache Web Server

That’s all, In this article, we have explained How To Protect Grub2 Bootloader With Password In Rhel/Centos. I hope you enjoy this article. If you like this article, then just share it. If you have any questions about this article, please comment.

Sidebar