How To Password Protect GRUB Entries (Linux)

Ads by Google

how-to-password-protect-grub-entries GRUB or the GRand Unified Bootloader is the bootloader commonly installed by Linux distributions on your hard disk. GRUB is responsible for showing you the menu that allows you to choose the operating system you want to boot into and also lets you tweak and control the booting options.

Awesome powers in good hands but as you probably know “with great powers come great responsibilities”, so GRUB allows you to lock down some features and boot entries to allow only the intended users to go through.

When talking of security in computer systems one often needs to analyse the situation one is in and choose the appropriate options. If you have hackers getting physical access to your computer system the GRUB security measures won’t last a second (pretty much nothing would do). Your best bet in such a situation is to keep the hard drive encrypted, or if your hard drive can be password protected, use that option.

However, the majority of us don’t have to worry about hackers with physical access as much as our not-so-computer savvy relatives and friends fiddling around with the system. That is what we have the log in passwords for (they are not secure enough for hackers, trust me!), and that is the situation where you would be wise to make use of GRUB security features.

It is also a good practice to password protect the recovery mode entries as they can be used by any user to gain root access.

GRUB security features allow you to lock down the editing of boot options accessed by pressing the ‘e’ key and they allow you to password protect selected or all boot entries.

Ads by Google

Follow the steps below to see how to password protect GRUB entries:

  • Fire up the terminal. Type grub and press enter. The prompt would change to something like ‘grub>’.
  • Enter md5crypt at the GRUB prompt. Type in the password when prompted for and press enter. The command will return you password encrypted as an md5 hash. You will need this so make a note of it or copy to the clipboard.
  • add password to grub

  • Now we need to edit the /boot/grub/menu.lst file. You are advised to make a backup of the file before editing it in case something goes wrong.
  • password protect grub ubuntu

  • Enter the line password –md5 <the copied md5 string from step 3> before the line that reads: “BEGIN AUTOMAGIC KERNEL LIST” (actually it just needs to come before any of the boot menu entries, so you can write it anywhere as long as it is before them).
  • If you save the file at this moment without any further edits you would have locked down interactive editing in GRUB. The administrator or in this case you would have to press ‘p’ key and enter the correct password to access these advanced options.
  • If in addition you want to lock down specific menu entries so that anyone without the knowledge of the correct password cannot boot into that operating system you should add the word lock all by itself on a separate line just after the title specification for each entry in the menu.
  • The next time anyone tries to select the locked menu entry he/she will be required to enter a password before he/she can boot into the corresponding operating system.
  • To lock the recovery mode entries it is best to change the line lockalternative=false to lockalternative=true. This will lock down all future recovery mode entries as well even if you update the kernel.

What security features do you use to secure your system? Have you encrypted your hard drive? Or do you use a BIOS password? Let us know in the comments. Also check out how to add a custom background to GRUB menu

Join live MakeUseOf Groups on Grouvi App Join live Groups on Grouvi
Master the Linux Command Line
Master the Linux Command Line
35 Members
Best Linux Apps
Best Linux Apps
34 Members
Linux for New Switchers
Linux for New Switchers
33 Members
Linux Distros Talk
Linux Distros Talk
26 Members
Ads by Google
Comments (8)
  • hotgeek

    It doesn’t work in case you have dual-boot machine with EFI enabled.

  • sensiguard

    Thanks for sharing with us .very informative and interesting …keep posting :D

  • James the 1st

    Two comments:

    1. Varun Kashyap, the author, made it pretty clear this was to prevent would-be family and friend would-be gurus from messing where you don’t want messing. It’s certainly not to prevent a knowledgeable cracker from getting in.
    2.He also made it fairly clear to do some intelligent backups before getting in to this.

    Nice job…

  • delhi

    sir i am facing one problem. if i boot then i will get error msg
    such as Error 32:Must be authenticated
    Press any key to continue…

    • vickey

      Check the password you have entered. I think the error represents that.

  • hydtech

    hmm, what if someone manages to bypass or replace the Grub bootloader? then the password lock wouldn’t matter.

    • JBu92

      Actually, it’s much simpler than that, you can simply hit e (I think it’s w, whichever one allows you to edit the boot options) and delete the password line. Wish I’d have known that BEFORE I messed up my md5 hash (forgot the $, lol).

    • JBu92

      That works if you put the password on each individual entry, anyways, I’m not sure if it works w/ the lock feature.

Affiliate Disclamer

This review may contain affiliate links, which pays us a small compensation if you do decide to make a purchase based on our recommendation. Our judgement is in no way biased, and our recommendations are always based on the merits of the items.

For more details, please read our disclosure.
Affiliate Disclamer

This review may contain affiliate links, which pays us a small compensation if you do decide to make a purchase based on our recommendation. Our judgement is in no way biased, and our recommendations are always based on the merits of the items.

For more details, please read our disclosure.