Command Line – GRUB 2

A boot manager is almost as much of the Linux tradition as compiling a custom kernel. Traditionally, a boot manager has been used for choosing a kernel to start and for running multiple operating systems on a single computer. However, at a time when everybody is becoming security conscious, few are aware that GRUB 2, the most popular boot manager, is also capable of using passwords and encryption to provide another level of security [1]. Admittedly, GRUB 2 security is not enough by itself, but it is still worth adding to your in-depth defenses.

GRUB 2 has existed for well over a decade and is rapidly replacing GRUB Legacy, the original version of the boot manager, especially in major distributions. As a result, its basic operation and traditional uses are reasonably well-known. However, before I dive into setting up passwords and encryption, a quick overview is useful, both as a reminder and as an introduction for those who might be still using GRUB Legacy or another boot manager, like the now discontinued LILO.

GRUB 2 has configuration files in several places. The first is the /boot/grub/ directory, which contains grub.cfg, the main configuration file. However, unlike GRUB Legacy, the main configuration file is not edited directly. Neither are the config files for each menu item that are stored in /boot. Instead, GRUB 2 is updated automatically when a kernel is added or deleted from the system or when the user runs the command update-grub, which creates the menu list of available kernels and operating systems. Resources such as the background image are also generally stored in /boot/grub/, although they can be stored in another path.

Setting GRUB Display Options and Behavior

The first GRUB 2 configuration file that is directly edited is /etc/default/grub [2]. This file sets display and performance settings (Table 1). Typically, these options consist of a human-readable value, each of which is edited by either uncommenting the option or changing the value. You might, for example, change the value GRUB_TIMEOUT from its default of five seconds on a Debian system to 20 seconds if you had a long list of different kernels that a user needs to read through before choosing one. The file is heavily commented, but full instructions for editing /etc/default/grub can be had by running the command:

info -f grub -n 'Simple configuration'

No man file is available. GNU projects like GRUB often prefer to use info instead. The third source of configuration information are the files in the /etc/grub.d/ directory. Each file in /grub.d is an executable file, whose name indicates the order in which it is run at bootup. For example, Table 2 shows the GRUB 2 configuration files commonly found in Linux. Most of these files are created automatically as you install Linux and only require editing if you want additional refinements, such as passwords or encryption. An especially important section comprises the 40_custom files, which are designed for your own entries. These custom files are useful for restoring a system from a recovery disk, although that is a subject outside the scope of this article.

Each time you finish editing /etc/default/grub or any file in /etc/grub.d, or you make changes in both locations, they only take effect after you run update-grub as root. Running this command rebuilds /boot/grub/grub.cfg, so be sure your changes are valid and typo-free before running update-grub. In fact, backing up grub.cfg will reduce your recovery time if the worst happens.

Other scripts for modifying GRUB 2 also exist (e.g., grub-mkfont) that do much of the work for you. However, I emphasize customizing using a text editor, because that is what setting passwords and using encryption requires, and it gives users a chance to learn the application in depth.

Setting Up Password Support

GRUB 2 supports passwords for the entire menu, the type of operating system, and individual menu items. By itself, the password support does not provide comprehensive security, since by default, all passwords are stored in plain text and can be bypassed by booting from a security disk.

To set up passwords, you must have os-prober installed on your system. Three files need to be edited as root: /etc/grub.d/00_header*, /etc/grub.d/10_linux, and /etc/grub.d/30_os-prober. Back up all three anywhere outside /etc/grub.d, so you can easily recover from any problems. Do not place the backups in /grub.d, or GRUB 2 may overwrite them. If you have the expertise and need a reference, you can find a sample file online [3].

The setup for passwords requires four steps:

1. Add a root user and password. This root user can access all menu items. Technically, the information can be added to any of these three files, but usually it is placed in /etc/grub.d/00_header. Scroll all the way down to the bottom of the file and add lines with the following structure:

   cat <<EOF
   set superusers="USER"
   password USER PASSWORD
   export superusers
   EOF

2. Add other users. You will probably give all other users on the system a password for each menu item, but first you need to make GRUB aware of each user. Use the structure password USER PASSWORD, adding one user per line below the password line for the root user.

3. Once the users are defined, decide which menu items to password protect. Any user will be able to select unprotected menu items, and the root user can select any items, entering a password to select protected ones. Other users must be specifically permitted to open protected menu items. You can set up menu items for using passwords by opening /etc/grub.d/10_linux and finding the line:

   printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}"

Add --users '' after ${CLASS}, so that the line reads:

printf "menuentry '${title}' ${CLASS} --users '' {\n" "${os}" "${version}"

Note that --users is followed by two single quotation marks, not a double one.

1. If necessary, create an /etc/grub.d/30_os-prober file, using online examples. Then, to add password protection to all entries, run:

   sed 's/--class os /--class os --users /' -i /etc/grub.d/30_os-prober

Alternatively, you can set passwords for a certain type of operating system by adding --users before the last curly bracket on the line. For instance, for Linux, the edited line should read:

menuentry "${LLABEL} (on ${DEVICE})" --class gnu-linux --class gnu --class os --users {

While for Windows, the edited line would be:

menuentry "${LONGNAME} (on ${DEVICE})" --class windows --class os {

Should you want to password protect a particular partition that has an operating system on it, find in /etc/grub/330_osprober the lines:

cat << EOF
menuentry "${LONGNAME} (on ${DEVICE})" --class windows --class os {
EOF

Edit them to read as shown in Listing 1. Replace DEVICE in line 1 with the name of the partition (e.g., /dev/sd5).

01 if [ ${DEVICE} = "/dev/sdXY" ]; then
02 cat << EOF
03 menuentry "${LONGNAME} (on ${DEVICE})" --users "" {
04 EOF
05
06 else
07 cat << EOF
08 menuentry "${LONGNAME} (on ${DEVICE})"
09 EOF
10 fi

Save each of the edited scripts and run grub-update to enable the password protection. At the login screen, clicking a menu item results in a pop-up box for entering the user name and password.

Encrypting Passwords

Encryption greatly enhances the effectiveness of GRUB 2 passwords. However, somewhat arbitrarily, GRUB 2 encryption depends on a utility called grub-mkpasswd-pbkdf2 as much as on the manual editing of a file. grub-mkpasswd-pbkdf2 is included with GRUB 2 when it is installed, but when you try it for the first time, you should probably keep at least one menu item unprotected and unencrypted, at least until you are certain that you have the setup right (Figure 1).

Figure 1: grub-mkpasswd-pbkdf2 is a simple tool for creating an encrypted hash for a GRUB 2 password.

grub-mkpasswd-pbkdf2 is easy to use. Rather than editing manually, set up passwords and then run the command as root and generate the encryption hash by entering a user's password twice. By default, the result is a hash of several hundred characters, but you can increase the length of the hash – and the resulting strength of encryption – by increasing the number of iterations with the c=NUMBER option and the amount of salt (random data) with the option -s=NUMBER. You can also use -l to increase the length of the hash.

Create the password and then copy and paste it into /etc/grub.d/00_header so that each password line has the format:

password_pbkdf2 USER ENCRYPTED-PASSWORD

The password will be stored in encrypted form, but users will type in the unencrypted form. Although a boot disk will still be able to boot into the system, the result will strengthen GRUB 2 passwords in general. However, until grub-mkpasswd-pbkdf has been tested more, use it cautiously.