Passwords and Encryption

Defense in Depth

Since GRUB 2 passwords can be so easily circumvented, you might wonder if they are worth setting up, especially when one mistake can lock you out of your system and require awkward recovery time. It is true that depending only on GRUB 2's own security would provide weak protection. However, a basic principle of security is defense in depth.

Simply put, defense in depth means setting up as many security measures as possible. If one measure fails to stop an intruder, another one will. Moreover, if a security measure requires a time-consuming workaround, then an intruder has to be strongly motivated to persist, especially if there is a chance that other measures also have to be circumvented. In other words, some defenses are simply not worth the time to penetrate.

I would put GRUB 2's passwords and encryption into this second category. Their value lies less in absolute security than in their nuisance value for intruders and their role as only one of a number of defenses. If you doubt that, make a deliberate mistake in your GRUB 2 configuration and try to recover from it. Even if you know exactly what to do, you may still resent the loss of time. At that moment, you will understand why even relatively weak security can still be part of your defenses.

However, if you want truly strong encryption, encrypt the /boot partition during installation; then, set up GRUB 2 following the concise instructions on the Debian wiki [4]. The instructions assume a higher degree of expertise than is required to edit GRUB 2 files, which is why I have not detailed them here.

Infos

  1. GRUB 2: https://www.gnu.org/software/grub/
  2. /etc/default/grub fields: https://help.ubuntu.com/community/Grub2/Setup#User_Settings:_.2Fetc.2Fdefault.2Fgrub
  3. Sample /etc/grub.d files: https://www.apt-browse.org/browse/ubuntu/trusty/main/i386/grub-common/2.02~beta2-9/file/etc/grub.d/
  4. GRUB 2 and encrypted boot: https://wiki.debian.org/Grub2#Configure_encrypted_.2Fboot

The Author

Bruce Byfield is a computer journalist and a freelance writer and editor specializing in free and open source software. In addition to his writing projects, he also teaches live and e-learning courses. In his spare time, Bruce writes about Northwest Coast art. You can read more of his work at http://brucebyfield.wordpress.com

« Previous 1 2

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Grub 2 Editor
    GRUB 2 Editor
    more »
  • Grub Customizer

    Is the simple black and white GRUB menu causing confusion and obscuring important choices? Why not customize with GRUB themes and the Grub Customizer?

    more »
  • Ask Klaus!

    Klaus Knopper is the creator of Knoppix and co-founder of LinuxTag expo. He currently works as a teacher, programmer, and consultant. If you have a configuration problem, or if you just want to learn more about how Linux works, send your questions to: klaus@linux-magazine.com

    more »
  • Rescatux Rescue Disk

    If your computer fails to boot, you need a helping hand. Rescatux combines proven repair and rescue tools.

    more »
  • Configuring Dual Boot

    When two systems share a single computer, a boot manager handles the prompts that determine which system to boot. We’ll show you several multiple boot scenarios and describe how to set up your system for dual booting Linux with Windows.

    more »
comments powered by Disqus

Visit Our Shop

Trial Subscription

Digital Subscription

Subscribe

Direct Download

Read full article as PDF:

Price $2.95

Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs

News

Tag Cloud

Administration Community Desktop Events Hardware Linux Linux Pro Magazine Mobile Programming Software Ubuntu Web Development Windows free software open source