Passwords and Encryption
Command Line – GRUB 2
More than just a boot manager, GRUB 2 can help you add another line of protection to your security defenses.
A boot manager is almost as much of the Linux tradition as compiling a custom kernel. Traditionally, a boot manager has been used for choosing a kernel to start and for running multiple operating systems on a single computer. However, at a time when everybody is becoming security conscious, few are aware that GRUB 2, the most popular boot manager, is also capable of using passwords and encryption to provide another level of security [1]. Admittedly, GRUB 2 security is not enough by itself, but it is still worth adding to your in-depth defenses.
GRUB 2 has existed for well over a decade and is rapidly replacing GRUB Legacy, the original version of the boot manager, especially in major distributions. As a result, its basic operation and traditional uses are reasonably well-known. However, before I dive into setting up passwords and encryption, a quick overview is useful, both as a reminder and as an introduction for those who might be still using GRUB Legacy or another boot manager, like the now discontinued LILO.
GRUB 2 has configuration files in several places. The first is the /boot/grub/
directory, which contains grub.cfg
, the main configuration file. However, unlike GRUB Legacy, the main configuration file is not edited directly. Neither are the config files for each menu item that are stored in /boot
. Instead, GRUB 2 is updated automatically when a kernel is added or deleted from the system or when the user runs the command update-grub
, which creates the menu list of available kernels and operating systems. Resources such as the background image are also generally stored in /boot/grub/
, although they can be stored in another path.
Setting GRUB Display Options and Behavior
The first GRUB 2 configuration file that is directly edited is /etc/default/grub
[2]. This file sets display and performance settings (Table 1). Typically, these options consist of a human-readable value, each of which is edited by either uncommenting the option or changing the value. You might, for example, change the value GRUB_TIMEOUT
from its default of five seconds on a Debian system to 20 seconds if you had a long list of different kernels that a user needs to read through before choosing one. The file is heavily commented, but full instructions for editing /etc/default/grub
can be had by running the command:
info -f grub -n 'Simple configuration'
Table 1
Selected Entries in /etc/default/grub
GRUB_DEFAULT |
Sets the default menu item to boot. |
GRUB_TIMEOUT |
Sets the time before GRUB 2 boots; default if no choice is made or no key is pressed to show menu. |
GRUB_HIDDEN_TIMEOUT |
Shows how long before GRUB 2 boots when no menu displays. |
GRUB_HIDDEN_TIMEOUT_QUIET |
Suppresses countdown when no menu displays. |
GRUB_DISTRIBUTOR |
Shows the variant of GRUB 2 used. |
GRUB_BADRAM |
Prevents GRUB 2 from using designated bad RAM. |
GRUB_TERMINAL |
Disables graphical display. |
GRUB_GFXMODE |
Sets resolution for GRUB 2. |
GRUB_INIT_TUNE |
Beeps when boot begins. |
GRUB_BACKGROUND |
Show the path to the splash screen to use with GRUB 2. |
No man file is available. GNU projects like GRUB often prefer to use info
instead. The third source of configuration information are the files in the /etc/grub.d/
directory. Each file in /grub.d
is an executable file, whose name indicates the order in which it is run at bootup. For example, Table 2 shows the GRUB 2 configuration files commonly found in Linux. Most of these files are created automatically as you install Linux and only require editing if you want additional refinements, such as passwords or encryption. An especially important section comprises the 40_custom
files, which are designed for your own entries. These custom files are useful for restoring a system from a recovery disk, although that is a subject outside the scope of this article.
Table 2
Common Files in /etc/grub.d
Third-party apps and custom apps may vary with the distribution. |
|
---|---|
00_* |
Linux headers |
00_header |
Sets environmental variables, such as system file locations and video settings |
05_debian_theme |
Sets the theme for the menu display and the splash screen behind it |
10_* |
Boot entry headings for distribution |
10_linux |
Identifies the Linux kernel |
20_* |
Third-party apps |
20_memtest86+ |
Displays option for /boot/memtest86+.bin if it is present |
20_linux_xen |
Must use for interaction with Xen virtualization |
30_uefi-firmware |
Sets variables needed to run with UEFI |
30_os-prober |
Searches for Linux and Windows operating systems if os-prober is installed |
40_custom* |
User-generated scripts |
40_custom |
Provides a template for adding other custom menu entries |
41_custom |
Custom menu entries |
Each time you finish editing /etc/default/grub
or any file in /etc/grub.d
, or you make changes in both locations, they only take effect after you run update-grub
as root. Running this command rebuilds /boot/grub/grub.cfg
, so be sure your changes are valid and typo-free before running update-grub
. In fact, backing up grub.cfg
will reduce your recovery time if the worst happens.
Other scripts for modifying GRUB 2 also exist (e.g., grub-mkfont
) that do much of the work for you. However, I emphasize customizing using a text editor, because that is what setting passwords and using encryption requires, and it gives users a chance to learn the application in depth.
Setting Up Password Support
GRUB 2 supports passwords for the entire menu, the type of operating system, and individual menu items. By itself, the password support does not provide comprehensive security, since by default, all passwords are stored in plain text and can be bypassed by booting from a security disk.
To set up passwords, you must have os-prober
installed on your system. Three files need to be edited as root: /etc/grub.d/00_header*
, /etc/grub.d/10_linux
, and /etc/grub.d/30_os-prober
. Back up all three anywhere outside /etc/grub.d
, so you can easily recover from any problems. Do not place the backups in /grub.d
, or GRUB 2 may overwrite them. If you have the expertise and need a reference, you can find a sample file online [3].
The setup for passwords requires four steps:
Add a root user and password. This root user can access all menu items. Technically, the information can be added to any of these three files, but usually it is placed in
/etc/grub.d/00_header
. Scroll all the way down to the bottom of the file and add lines with the following structure:cat <<EOF set superusers="USER" password USER PASSWORD export superusers EOF
- Add other users. You will probably give all other users on the system a password for each menu item, but first you need to make GRUB aware of each user. Use the structure password
USER PASSWORD
, adding one user per line below the password line for the root user. Once the users are defined, decide which menu items to password protect. Any user will be able to select unprotected menu items, and the root user can select any items, entering a password to select protected ones. Other users must be specifically permitted to open protected menu items. You can set up menu items for using passwords by opening
/etc/grub.d/10_linux
and finding the line:printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}"
Add --users ''
after ${CLASS}
, so that the line reads:
printf "menuentry '${title}' ${CLASS} --users '' {\n" "${os}" "${version}"
Note that --users
is followed by two single quotation marks, not a double one.
If necessary, create an
/etc/grub.d/30_os-prober
file, using online examples. Then, to add password protection to all entries, run:sed 's/--class os /--class os --users /' -i /etc/grub.d/30_os-prober
Alternatively, you can set passwords for a certain type of operating system by adding --users
before the last curly bracket on the line. For instance, for Linux, the edited line should read:
menuentry "${LLABEL} (on ${DEVICE})" --class gnu-linux --class gnu --class os --users {
While for Windows, the edited line would be:
menuentry "${LONGNAME} (on ${DEVICE})" --class windows --class os {
Should you want to password protect a particular partition that has an operating system on it, find in /etc/grub/330_osprober
the lines:
cat << EOF menuentry "${LONGNAME} (on ${DEVICE})" --class windows --class os { EOF
Edit them to read as shown in Listing 1. Replace DEVICE
in line 1 with the name of the partition (e.g., /dev/sd5
).
Listing 1
Edited /etc/grub/330_osprober File
01 if [ ${DEVICE} = "/dev/sdXY" ]; then 02 cat << EOF 03 menuentry "${LONGNAME} (on ${DEVICE})" --users "" { 04 EOF 05 06 else 07 cat << EOF 08 menuentry "${LONGNAME} (on ${DEVICE})" 09 EOF 10 fi
Save each of the edited scripts and run grub-update
to enable the password protection. At the login screen, clicking a menu item results in a pop-up box for entering the user name and password.
Encrypting Passwords
Encryption greatly enhances the effectiveness of GRUB 2 passwords. However, somewhat arbitrarily, GRUB 2 encryption depends on a utility called grub-mkpasswd-pbkdf2
as much as on the manual editing of a file. grub-mkpasswd-pbkdf2
is included with GRUB 2 when it is installed, but when you try it for the first time, you should probably keep at least one menu item unprotected and unencrypted, at least until you are certain that you have the setup right (Figure 1).
grub-mkpasswd-pbkdf2
is easy to use. Rather than editing manually, set up passwords and then run the command as root and generate the encryption hash by entering a user's password twice. By default, the result is a hash of several hundred characters, but you can increase the length of the hash – and the resulting strength of encryption – by increasing the number of iterations with the c=NUMBER
option and the amount of salt (random data) with the option -s=NUMBER
. You can also use -l
to increase the length of the hash.
Create the password and then copy and paste it into /etc/grub.d/00_header
so that each password line has the format:
password_pbkdf2 USER ENCRYPTED-PASSWORD
The password will be stored in encrypted form, but users will type in the unencrypted form. Although a boot disk will still be able to boot into the system, the result will strengthen GRUB 2 passwords in general. However, until grub-mkpasswd-pbkdf
has been tested more, use it cautiously.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.
-
Fedora 41 Released with New Features
If you're a Fedora fan or just looking for a Linux distribution to help you migrate from Windows, Fedora 41 might be just the ticket.
-
AlmaLinux OS Kitten 10 Gives Power Users a Sneak Preview
If you're looking to kick the tires of AlmaLinux's upstream version, the developers have a purrfect solution.
-
Gnome 47.1 Released with a Few Fixes
The latest release of the Gnome desktop is all about fixing a few nagging issues and not about bringing new features into the mix.