How to set a GRUB password

linux category thumbnail

Resetting the root password is the most easiest tasks in Linux. You can read the article Reset Root Password in Linux to know how to do this. To plug this security hole and to make Linux more secure with set a password for editing the boot parameters. This password will make sure only users knowing this have access to edit the boot parameters. There are two ways of doing this. If you have GUI installed it is very easy to accomplish this task. For command-line installations you have to be extra careful not to edit anything else when executing commands like sed.

Step 1: Generate a MD5 encrypted password using grub-md5-crypt

Using the grub-md5-crypt command an encrypted password should be created. I’ve outlined two methods for users with GUI installed and command-line only users.

For GUI users

Open a terminal from your desktop and type


you’ll be prompted twice to enter a password and then a MD5 encrypted password will be shown. Copy this password and move on to the next step.

For command-line users

From the command line you can execute the same command but how can the generated password be copied ? For this we need to get a plaintext password from a file, pass the contents as an input to grub-md5-crypt and save the output in that file again. Execute the following commands

touch tempfile
vi tempfile

Type the desired password in the first line and in the next line too type the same password, save the file and exit. We’ll be passing these as the input for grub-md5-encrypt. In case you’re wondering whether you can use echo to write the password to this file don’t do it because the plaintext password will show up in history. Now execute the following command.

echo $(cat tempfile | grub-md5-encrypt 2> /dev/null) > tempfile

This command will pass the contents of tempfile to grub-md5-encrypt any STDERRs will be suppressed by /dev/null and the entire output of this will be echoed back to tempfile. Now open tempfile you’ll find the following contents

Password: Retype password: your-encrypted-password

Edit the file to look as following

password --md5 your-encrypted-password

make sure you don’t accidentally edit the encrypted password string. Now move on to the next step.

Step 2: Add the password to /boot/grub/grub.conf

Before proceeding with this step you MUST backup the /boot/grub/grub.conf file because you are bound to make a lot of errors in this step. The following command will create a copy of the file at /boot/grub/grub.conf.bak

cp /boot/grub/grub.conf{,.bak}

If you’ve been doing the GUI method just open /boot/grub/grub.conf file and add the following line at the beginning of the file

password --md5 encrypted-password

The encrypted-password is the string you copied after executing the grub-md5-crypt command.

For command-line warriors, using the sed command add the password to the grub.conf. Please make sure you have a backup copy.

sed "1 a $(cat tempfile)" /boot/grub/grub.conf > tempfile
mv tempfile /boot/grub/grub.conf

When prompted to overwrite enter y to confirm. The first command adds the password option to the first line and writes the entire contents of grub.conf to tempfile Now is the time to check whether anything else have been modified in the grub.conf file.

diff /boot/grub/grub.conf{,.bak}

The original file and backup copy are checked for differences. You should only see password –md5 <md5-password> if something else differs review the contents and make necessary changes. Now reboot your system and see it in action.

GRUB password
The GRUB password has been successfully set. Without entering the GRUB password no one can edit the boot parameters

Press p enter the correct password now you can edit the kernel arguments and other boot options. The reason why we are using only one tempfile to store passwords and process things is that to add more security. After storing the plaintext password when you echo the encrypted password the > symbol is used instead of >> so that the plaintext password is overwritten. Finally the mv command is used so the the tempfile is moved and erased. Our aim is to store the encrypted password only in the grub.conf file and no where else.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>