Passwords and Encryption
Command Line – GRUB 2
More than just a boot manager, GRUB 2 can help you add another line of protection to your security defenses.
A boot manager is almost as much of the Linux tradition as compiling a custom kernel. Traditionally, a boot manager has been used for choosing a kernel to start and for running multiple operating systems on a single computer. However, at a time when everybody is becoming security conscious, few are aware that GRUB 2, the most popular boot manager, is also capable of using passwords and encryption to provide another level of security [1]. Admittedly, GRUB 2 security is not enough by itself, but it is still worth adding to your in-depth defenses.
GRUB 2 has existed for well over a decade and is rapidly replacing GRUB Legacy, the original version of the boot manager, especially in major distributions. As a result, its basic operation and traditional uses are reasonably well-known. However, before I dive into setting up passwords and encryption, a quick overview is useful, both as a reminder and as an introduction for those who might be still using GRUB Legacy or another boot manager, like the now discontinued LILO.
GRUB 2 has configuration files in several places. The first is the /boot/grub/
directory, which contains grub.cfg
, the main configuration file. However, unlike GRUB Legacy, the main configuration file is not edited directly. Neither are the config files for each menu item that are stored in /boot
. Instead, GRUB 2 is updated automatically when a kernel is added or deleted from the system or when the user runs the command update-grub
, which creates the menu list of available kernels and operating systems. Resources such as the background image are also generally stored in /boot/grub/
, although they can be stored in another path.
Setting GRUB Display Options and Behavior
The first GRUB 2 configuration file that is directly edited is /etc/default/grub
[2]. This file sets display and performance settings (Table 1). Typically, these options consist of a human-readable value, each of which is edited by either uncommenting the option or changing the value. You might, for example, change the value GRUB_TIMEOUT
from its default of five seconds on a Debian system to 20 seconds if you had a long list of different kernels that a user needs to read through before choosing one. The file is heavily commented, but full instructions for editing /etc/default/grub
can be had by running the command:
info -f grub -n 'Simple configuration'
Table 1
Selected Entries in /etc/default/grub
GRUB_DEFAULT |
Sets the default menu item to boot. |
GRUB_TIMEOUT |
Sets the time before GRUB 2 boots; default if no choice is made or no key is pressed to show menu. |
GRUB_HIDDEN_TIMEOUT |
Shows how long before GRUB 2 boots when no menu displays. |
GRUB_HIDDEN_TIMEOUT_QUIET |
Suppresses countdown when no menu displays. |
GRUB_DISTRIBUTOR |
Shows the variant of GRUB 2 used. |
GRUB_BADRAM |
Prevents GRUB 2 from using designated bad RAM. |
GRUB_TERMINAL |
Disables graphical display. |
GRUB_GFXMODE |
Sets resolution for GRUB 2. |
GRUB_INIT_TUNE |
Beeps when boot begins. |
GRUB_BACKGROUND |
Show the path to the splash screen to use with GRUB 2. |
No man file is available. GNU projects like GRUB often prefer to use info
instead. The third source of configuration information are the files in the /etc/grub.d/
directory. Each file in /grub.d
is an executable file, whose name indicates the order in which it is run at bootup. For example, Table 2 shows the GRUB 2 configuration files commonly found in Linux. Most of these files are created automatically as you install Linux and only require editing if you want additional refinements, such as passwords or encryption. An especially important section comprises the 40_custom
files, which are designed for your own entries. These custom files are useful for restoring a system from a recovery disk, although that is a subject outside the scope of this article.
Table 2
Common Files in /etc/grub.d
Third-party apps and custom apps may vary with the distribution. |
|
---|---|
00_* |
Linux headers |
00_header |
Sets environmental variables, such as system file locations and video settings |
05_debian_theme |
Sets the theme for the menu display and the splash screen behind it |
10_* |
Boot entry headings for distribution |
10_linux |
Identifies the Linux kernel |
20_* |
Third-party apps |
20_memtest86+ |
Displays option for /boot/memtest86+.bin if it is present |
20_linux_xen |
Must use for interaction with Xen virtualization |
30_uefi-firmware |
Sets variables needed to run with UEFI |
30_os-prober |
Searches for Linux and Windows operating systems if os-prober is installed |
40_custom* |
User-generated scripts |
40_custom |
Provides a template for adding other custom menu entries |
41_custom |
Custom menu entries |
Each time you finish editing /etc/default/grub
or any file in /etc/grub.d
, or you make changes in both locations, they only take effect after you run update-grub
as root. Running this command rebuilds /boot/grub/grub.cfg
, so be sure your changes are valid and typo-free before running update-grub
. In fact, backing up grub.cfg
will reduce your recovery time if the worst happens.
Other scripts for modifying GRUB 2 also exist (e.g., grub-mkfont
) that do much of the work for you. However, I emphasize customizing using a text editor, because that is what setting passwords and using encryption requires, and it gives users a chance to learn the application in depth.
Setting Up Password Support
GRUB 2 supports passwords for the entire menu, the type of operating system, and individual menu items. By itself, the password support does not provide comprehensive security, since by default, all passwords are stored in plain text and can be bypassed by booting from a security disk.
To set up passwords, you must have os-prober
installed on your system. Three files need to be edited as root: /etc/grub.d/00_header*
, /etc/grub.d/10_linux
, and /etc/grub.d/30_os-prober
. Back up all three anywhere outside /etc/grub.d
, so you can easily recover from any problems. Do not place the backups in /grub.d
, or GRUB 2 may overwrite them. If you have the expertise and need a reference, you can find a sample file online [3].
The setup for passwords requires four steps:
Add a root user and password. This root user can access all menu items. Technically, the information can be added to any of these three files, but usually it is placed in
/etc/grub.d/00_header
. Scroll all the way down to the bottom of the file and add lines with the following structure:cat <<EOF set superusers="USER" password USER PASSWORD export superusers EOF
- Add other users. You will probably give all other users on the system a password for each menu item, but first you need to make GRUB aware of each user. Use the structure password
USER PASSWORD
, adding one user per line below the password line for the root user. Once the users are defined, decide which menu items to password protect. Any user will be able to select unprotected menu items, and the root user can select any items, entering a password to select protected ones. Other users must be specifically permitted to open protected menu items. You can set up menu items for using passwords by opening
/etc/grub.d/10_linux
and finding the line:printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}"
Add --users ''
after ${CLASS}
, so that the line reads:
printf "menuentry '${title}' ${CLASS} --users '' {\n" "${os}" "${version}"
Note that --users
is followed by two single quotation marks, not a double one.
If necessary, create an
/etc/grub.d/30_os-prober
file, using online examples. Then, to add password protection to all entries, run:sed 's/--class os /--class os --users /' -i /etc/grub.d/30_os-prober
Alternatively, you can set passwords for a certain type of operating system by adding --users
before the last curly bracket on the line. For instance, for Linux, the edited line should read:
menuentry "${LLABEL} (on ${DEVICE})" --class gnu-linux --class gnu --class os --users {
While for Windows, the edited line would be:
menuentry "${LONGNAME} (on ${DEVICE})" --class windows --class os {
Should you want to password protect a particular partition that has an operating system on it, find in /etc/grub/330_osprober
the lines:
cat << EOF menuentry "${LONGNAME} (on ${DEVICE})" --class windows --class os { EOF
Edit them to read as shown in Listing 1. Replace DEVICE
in line 1 with the name of the partition (e.g., /dev/sd5
).
Listing 1
Edited /etc/grub/330_osprober File
01 if [ ${DEVICE} = "/dev/sdXY" ]; then 02 cat << EOF 03 menuentry "${LONGNAME} (on ${DEVICE})" --users "" { 04 EOF 05 06 else 07 cat << EOF 08 menuentry "${LONGNAME} (on ${DEVICE})" 09 EOF 10 fi
Save each of the edited scripts and run grub-update
to enable the password protection. At the login screen, clicking a menu item results in a pop-up box for entering the user name and password.
Encrypting Passwords
Encryption greatly enhances the effectiveness of GRUB 2 passwords. However, somewhat arbitrarily, GRUB 2 encryption depends on a utility called grub-mkpasswd-pbkdf2
as much as on the manual editing of a file. grub-mkpasswd-pbkdf2
is included with GRUB 2 when it is installed, but when you try it for the first time, you should probably keep at least one menu item unprotected and unencrypted, at least until you are certain that you have the setup right (Figure 1).
grub-mkpasswd-pbkdf2
is easy to use. Rather than editing manually, set up passwords and then run the command as root and generate the encryption hash by entering a user's password twice. By default, the result is a hash of several hundred characters, but you can increase the length of the hash – and the resulting strength of encryption – by increasing the number of iterations with the c=NUMBER
option and the amount of salt (random data) with the option -s=NUMBER
. You can also use -l
to increase the length of the hash.
Create the password and then copy and paste it into /etc/grub.d/00_header
so that each password line has the format:
password_pbkdf2 USER ENCRYPTED-PASSWORD
The password will be stored in encrypted form, but users will type in the unencrypted form. Although a boot disk will still be able to boot into the system, the result will strengthen GRUB 2 passwords in general. However, until grub-mkpasswd-pbkdf
has been tested more, use it cautiously.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.
-
Plasma Desktop Will Soon Ask for Donations
The next iteration of Plasma has reached the soft feature freeze for the 6.2 version and includes a feature that could be divisive.