Passwords and Encryption

Command Line – GRUB 2

© Lead Image © Sergey Nivens, 123RF.com

© Lead Image © Sergey Nivens, 123RF.com

Article from Issue 219/2019
Author(s):

More than just a boot manager, GRUB 2 can help you add another line of protection to your security defenses.

A boot manager is almost as much of the Linux tradition as compiling a custom kernel. Traditionally, a boot manager has been used for choosing a kernel to start and for running multiple operating systems on a single computer. However, at a time when everybody is becoming security conscious, few are aware that GRUB 2, the most popular boot manager, is also capable of using passwords and encryption to provide another level of security [1]. Admittedly, GRUB 2 security is not enough by itself, but it is still worth adding to your in-depth defenses.

GRUB 2 has existed for well over a decade and is rapidly replacing GRUB Legacy, the original version of the boot manager, especially in major distributions. As a result, its basic operation and traditional uses are reasonably well-known. However, before I dive into setting up passwords and encryption, a quick overview is useful, both as a reminder and as an introduction for those who might be still using GRUB Legacy or another boot manager, like the now discontinued LILO.

GRUB 2 has configuration files in several places. The first is the /boot/grub/ directory, which contains grub.cfg, the main configuration file. However, unlike GRUB Legacy, the main configuration file is not edited directly. Neither are the config files for each menu item that are stored in /boot. Instead, GRUB 2 is updated automatically when a kernel is added or deleted from the system or when the user runs the command update-grub, which creates the menu list of available kernels and operating systems. Resources such as the background image are also generally stored in /boot/grub/, although they can be stored in another path.

Setting GRUB Display Options and Behavior

The first GRUB 2 configuration file that is directly edited is /etc/default/grub [2]. This file sets display and performance settings (Table 1). Typically, these options consist of a human-readable value, each of which is edited by either uncommenting the option or changing the value. You might, for example, change the value GRUB_TIMEOUT from its default of five seconds on a Debian system to 20 seconds if you had a long list of different kernels that a user needs to read through before choosing one. The file is heavily commented, but full instructions for editing /etc/default/grub can be had by running the command:

info -f grub -n 'Simple configuration'

Table 1

Selected Entries in /etc/default/grub

GRUB_DEFAULT

Sets the default menu item to boot.

GRUB_TIMEOUT

Sets the time before GRUB 2 boots; default if no choice is made or no key is pressed to show menu.

GRUB_HIDDEN_TIMEOUT

Shows how long before GRUB 2 boots when no menu displays.

GRUB_HIDDEN_TIMEOUT_QUIET

Suppresses countdown when no menu displays.

GRUB_DISTRIBUTOR

Shows the variant of GRUB 2 used.

GRUB_BADRAM

Prevents GRUB 2 from using designated bad RAM.

GRUB_TERMINAL

Disables graphical display.

GRUB_GFXMODE

Sets resolution for GRUB 2.

GRUB_INIT_TUNE

Beeps when boot begins.

GRUB_BACKGROUND

Show the path to the splash screen to use with GRUB 2.

No man file is available. GNU projects like GRUB often prefer to use info instead. The third source of configuration information are the files in the /etc/grub.d/ directory. Each file in /grub.d is an executable file, whose name indicates the order in which it is run at bootup. For example, Table 2 shows the GRUB 2 configuration files commonly found in Linux. Most of these files are created automatically as you install Linux and only require editing if you want additional refinements, such as passwords or encryption. An especially important section comprises the 40_custom files, which are designed for your own entries. These custom files are useful for restoring a system from a recovery disk, although that is a subject outside the scope of this article.

Table 2

Common Files in /etc/grub.d

Third-party apps and custom apps may vary with the distribution.

00_*

Linux headers

00_header

Sets environmental variables, such as system file locations and video settings

05_debian_theme

Sets the theme for the menu display and the splash screen behind it

10_*

Boot entry headings for distribution

10_linux

Identifies the Linux kernel

20_*

Third-party apps

20_memtest86+

Displays option for /boot/memtest86+.bin if it is present

20_linux_xen

Must use for interaction with Xen virtualization

30_uefi-firmware

Sets variables needed to run with UEFI

30_os-prober

Searches for Linux and Windows operating systems if os-prober is installed

40_custom*

User-generated scripts

40_custom

Provides a template for adding other custom menu entries

41_custom

Custom menu entries

Each time you finish editing /etc/default/grub or any file in /etc/grub.d, or you make changes in both locations, they only take effect after you run update-grub as root. Running this command rebuilds /boot/grub/grub.cfg, so be sure your changes are valid and typo-free before running update-grub. In fact, backing up grub.cfg will reduce your recovery time if the worst happens.

Other scripts for modifying GRUB 2 also exist (e.g., grub-mkfont) that do much of the work for you. However, I emphasize customizing using a text editor, because that is what setting passwords and using encryption requires, and it gives users a chance to learn the application in depth.

Setting Up Password Support

GRUB 2 supports passwords for the entire menu, the type of operating system, and individual menu items. By itself, the password support does not provide comprehensive security, since by default, all passwords are stored in plain text and can be bypassed by booting from a security disk.

To set up passwords, you must have os-prober installed on your system. Three files need to be edited as root: /etc/grub.d/00_header*, /etc/grub.d/10_linux, and /etc/grub.d/30_os-prober. Back up all three anywhere outside /etc/grub.d, so you can easily recover from any problems. Do not place the backups in /grub.d, or GRUB 2 may overwrite them. If you have the expertise and need a reference, you can find a sample file online [3].

The setup for passwords requires four steps:

  1. Add a root user and password. This root user can access all menu items. Technically, the information can be added to any of these three files, but usually it is placed in /etc/grub.d/00_header. Scroll all the way down to the bottom of the file and add lines with the following structure:

    cat <<EOF
    set superusers="USER"
    password USER PASSWORD
    export superusers
    EOF
  2. Add other users. You will probably give all other users on the system a password for each menu item, but first you need to make GRUB aware of each user. Use the structure password USER PASSWORD, adding one user per line below the password line for the root user.
  3. Once the users are defined, decide which menu items to password protect. Any user will be able to select unprotected menu items, and the root user can select any items, entering a password to select protected ones. Other users must be specifically permitted to open protected menu items. You can set up menu items for using passwords by opening /etc/grub.d/10_linux and finding the line:

    printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}"

Add --users '' after ${CLASS}, so that the line reads:

printf "menuentry '${title}' ${CLASS} --users '' {\n" "${os}" "${version}"

Note that --users is followed by two single quotation marks, not a double one.

  1. If necessary, create an /etc/grub.d/30_os-prober file, using online examples. Then, to add password protection to all entries, run:

    sed 's/--class os /--class os --users /' -i /etc/grub.d/30_os-prober

Alternatively, you can set passwords for a certain type of operating system by adding --users before the last curly bracket on the line. For instance, for Linux, the edited line should read:

menuentry "${LLABEL} (on ${DEVICE})" --class gnu-linux --class gnu --class os --users {

While for Windows, the edited line would be:

menuentry "${LONGNAME} (on ${DEVICE})" --class windows --class os {

Should you want to password protect a particular partition that has an operating system on it, find in /etc/grub/330_osprober the lines:

cat << EOF
menuentry "${LONGNAME} (on ${DEVICE})" --class windows --class os {
EOF

Edit them to read as shown in Listing 1. Replace DEVICE in line 1 with the name of the partition (e.g., /dev/sd5).

Listing 1

Edited /etc/grub/330_osprober File

01 if [ ${DEVICE} = "/dev/sdXY" ]; then
02 cat << EOF
03 menuentry "${LONGNAME} (on ${DEVICE})" --users "" {
04 EOF
05
06 else
07 cat << EOF
08 menuentry "${LONGNAME} (on ${DEVICE})"
09 EOF
10 fi

Save each of the edited scripts and run grub-update to enable the password protection. At the login screen, clicking a menu item results in a pop-up box for entering the user name and password.

Encrypting Passwords

Encryption greatly enhances the effectiveness of GRUB 2 passwords. However, somewhat arbitrarily, GRUB 2 encryption depends on a utility called grub-mkpasswd-pbkdf2 as much as on the manual editing of a file. grub-mkpasswd-pbkdf2 is included with GRUB 2 when it is installed, but when you try it for the first time, you should probably keep at least one menu item unprotected and unencrypted, at least until you are certain that you have the setup right (Figure 1).

Figure 1: grub-mkpasswd-pbkdf2 is a simple tool for creating an encrypted hash for a GRUB 2 password.

grub-mkpasswd-pbkdf2 is easy to use. Rather than editing manually, set up passwords and then run the command as root and generate the encryption hash by entering a user's password twice. By default, the result is a hash of several hundred characters, but you can increase the length of the hash – and the resulting strength of encryption – by increasing the number of iterations with the c=NUMBER option and the amount of salt (random data) with the option -s=NUMBER. You can also use -l to increase the length of the hash.

Create the password and then copy and paste it into /etc/grub.d/00_header so that each password line has the format:

password_pbkdf2 USER ENCRYPTED-PASSWORD

The password will be stored in encrypted form, but users will type in the unencrypted form. Although a boot disk will still be able to boot into the system, the result will strengthen GRUB 2 passwords in general. However, until grub-mkpasswd-pbkdf has been tested more, use it cautiously.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • GRUB 2 Editor
  • Grub Customizer

    Is the simple black and white GRUB menu causing confusion and obscuring important choices? Why not customize with GRUB themes and the Grub Customizer?

  • Ask Klaus!

    Klaus Knopper is the creator of Knoppix and co-founder of LinuxTag expo. He currently works as a teacher, programmer, and consultant. If you have a configuration problem, or if you just want to learn more about how Linux works, send your questions to: klaus@linux-magazine.com

  • Rescatux Rescue Disk

    If your computer fails to boot, you need a helping hand. Rescatux combines proven repair and rescue tools.

  • Configuring Dual Boot

    When two systems share a single computer, a boot manager handles the prompts that determine which system to boot. We’ll show you several multiple boot scenarios and describe how to set up your system for dual booting Linux with Windows.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News