Grub 2 Password Protection

GRUB 2 offers basic password protection for its menu and terminal. The user can set up passwords to protect the entire menu or specific menuentries. Passwords can be required for all users or only for selected users. The passwords can be stored in encrypted or unencrypted format. This page will detail the procedures necessary to establish and use the GRUB 2 password option.

In this guide, when the term "GRUB" is used it refers to GRUB 2, version 1.99 or later. Some features such as encrypted passwords may not be available in earlier versions. Users can check the version of GRUB they are using with grub-install -V

important.png Note: The password security available with GRUB 2 provides basic protection to prevent an unauthorized user from gaining access to the operating system(s) via the GRUB 2 menu. Persons with physical access to the computer can gain access to the files via other methods which GRUB 2 cannot prevent.

GRUB 2 Password Protection Notes

Grub 2 can establish password requirements on:

How It Works

Once a superuser and password are identified, the password feature is enabled the GRUB 2 menu will appear as it does normally. When a menu item requiring a password is selected, the user will be prompted to enter the correct username and password. If entered correctly, the selected menuentry will continue to boot. If incorrect, the user will be returned to the GRUB 2 menu.

If GRUB 2 is set up to boot directly to a password-protected menuentry without displaying a menu, the username/password prompt will appear and booting will not occur until they are correctly entered.

With at least one user/password identified, access to the GRUB 2 terminal and menuentry editing is restricted to the superuser.

To enable password protection, GRUB 2 requires

To protect one or more menu items:

Warnings & Cautions

Setting Up Password Protection

There are three steps to enabling Grub 2 password protection. The authorized users must be identified, their passwords must be designated, and menu items to be protected must be identified. Users and passwords are manually added to the /etc/grub.d/00_header file *. The file must be edited by an Ubuntu user with administrative authority (root) since it is a system file. The user/password information is automatically added to the GRUB 2 menu configuration file (grub.cfg) when update-grub is run.

To edit the /etc/grub.d/00_header*, /etc/grub.d/10_linux, and /etc/grub.d/30_os-prober files, open them as root with a text editor (such as gedit):

* The superuser/user information and password do not have to be contained in the /etc/grub.d/00_header file. The information can be placed in any /etc/grub.d file as long as that file is incorporated into grub.cfg. The user may prefer to enter this data into a custom file, such as /etc/grub.d/40_custom so it is not overwritten should the Grub package be updated. If placing the information in a custom file, do not include the "cat << EOF" and "EOF" lines as the content is automatically added from these files.

Superuser & Password Designation (Required)

A superuser must be designated. This user can select all menuentries, edit any items in the GRUB 2 menu during the boot process, and access the GRUB 2 terminal.

important.png Note: GRUB 2 1.99 in 12.04 LTS doesn't protect submenu, ie. command line, entry editing and access to entries is not protected! See bug 718670. The workaround is to export superusers variable by adding to the above export superusers. The above example would look like:

set superusers="John"
password John foo
export superusers

important.png GRUB 2 passwords are stored as plain text in readable files. GRUB 2 can encrypt the password using grub-mkpasswd-pbkdf2. See the Password Encryption section for details.

  1. Open /etc/grub.d/00_header and add the following at the bottom of the file.

    • Generic Entry - Superuser Only:

      Example of actual entry:

      cat << EOF

      cat << EOF

      set superusers="user1"

      set superusers="John"

      password user1 password1

      password John 1234

      EOF

      EOF

Other Users (Optional)

With only the information above entered into the /etc/grub.d/00_header file the GRUB 2 menu and terminal can only be accessed by the superuser. All menu items can be accessed by all users. To password-protect one or more menuentries, continue with the next section.

Protecting Menuentries

The GRUB 2 menu can contain protected and unprotected items. The format for protecting a menu item consists of adding the user access information to the menuentry title line.

Examples:

Adding Protection to Ubuntu Entries

There is currently no automated method of adding users or designating menu items to be protected. The user must manually edit the GRUB 2 scripts. The GRUB 2 menu is a compilation of the inputs of several scripts. The /etc/grub.d/10_linux file is responsible for adding the default Ubuntu OS to the GRUB 2 menu. The instructions below will automatically add password protection to all entries in the 10_linux section of the GRUB 2 menu. The majority of these sections are devoted to editing the default scripts located in the /etc/grub.d/ folder.

info.png Another option is to create a custom menu, add the menu items you wish (including those you want to protect), and disable the standard scripts. The users and passwords can be included in this file rather than in the 00_header file. This may be an easier method of assigning password protection - especially if only some of the menu items will be protected. The formatting is the same as described on this page, except the "cat << EOF" and "EOF" entries are not used. For more information on how to set us a custom menu, refer to Grub 2/CustomMenus.

important.png Before making these changes, it is recommended to save a copy of the /etc/grub.d/10_linux file to another location to serve as a backup. Do not leave the copy in the /etc/grub.d/ folder to ensure it is not run during updates.

In /etc/grub.d/10_linux, find the following line:

Add --users '' :

Save the file, then run:

The --users '' tag will be added to every menuentry located in the "10_linux" section of grub.cfg.

important.png Note:
This document previously stated that you should add --users "" (with quotes instead of apostrophes) to the printf line above:

However, doing so causes grub.cfg to be generated without the quotes after --users, which may cause GRUB to fail with a cryptic "alloc magic is broken" error message.

Adding Protection to Other Entries

The GRUB 2 menu includes selections for operating systems other than the default Ubuntu OS via the /etc/grub.d/30_os-prober script. The instructions below will automatically add password protection to all entries in the 30_os-prober section of the GRUB 2 menu. This would include other Ubuntu and Linux installations, Windows, etc.

The 30_os-prober script looks for specific types of operating systems. The user can make the changes for all of the OS's via a single command, or individually by OS type as documented below.

important.png Before making any changes the user should save a copy of the /etc/grub.d/30_os-prober file to another location to serve as a backup. Do not leave the copy in the /etc/grub.d/ folder to ensure it is not run during updates.

All 30_os=prober Entries: The user can add password protection to all entries generated by /etc/grub.d/30_os-prober by running the following command which adds --users to each menuentry found by the script. Alternatively, the user can use the expanded entries to change only specific operating systems as detailed below.

To back up and then alter the /etc/grub.d/30_os-prober to add password protection to all entries:

Select OS Entries:

To enable password protection only on a specific type of operating system add --users immediately following "--class os".

OSX Example: menuentry "${LONGNAME} (${2}-bit) (on ${DEVICE})" --class osx --class darwin --class os --users {

Save the file, then run:

Protect the Windows Recovery Partition

It is possible to provide password protection only to a specific partition. One obvious example would be the Windows recovery partition. While the concept could also be applied to other OS sections in the 30_os-prober file or even the 10_linux script, only the lines which search for the Windows OS will be described. Any Windows partition could be protected in the same manner by designating the partition.

Note: This technique will work only if the GRUB 2 menu identifies multiple Windows partitions and one of them is the recovery partition. If only one Windows partition is identified by GRUB due to Windows chainloading it's menus, only Windows in its entirety could be protected.

If the user would like only to place password protection on a Windows recovery partition, follow the previous guidance and then:

  1. Determine the Windows Recovery partition (sda1, sda2, etc). Change sdXY to the correct values.

  2. In the /etc/grub.d/30_os-prober file:

    • Change:
      • cat << EOF

        menuentry "${LONGNAME} (on ${DEVICE})" --class windows --class os {

        EOF

      To:
      • if [ ${DEVICE} = "/dev/sdXY" ]; then

        cat << EOF

        menuentry "${LONGNAME} (on ${DEVICE})" --users "" {

        EOF

        else

        cat << EOF

        menuentry "${LONGNAME} (on ${DEVICE})" {

        EOF

        fi

  3. Save the file, then run:
          sudo update-grub

Password Encryption

grub-mkpasswd-pbkdf2 Encrypted password protection has been available in all versions of Grub 2 but was improved in GRUB 1.99.

One of the drawbacks of the password setup discussed so far is that the passwords are entered in plain text in the GRUB 2 files. The degree of security can be greatly enhanced by using Grub 2's grub-mkpasswd-pbkdf2 command. This command converts your desired password into a very long alphanumeric code which is placed in the GRUB 2 files. Your actual password is no longer visible in the Grub 2 scripts. While physical access to a computer can bypass the GRUB 2 menu, encryption makes it much more difficult for the casual hacker to determine your menu passwords.

important.png It is worth repeating: Users experimenting with GRUB 2 passwords should keep at least one non-protected menuentry and set the timeout to at least 1 second until testing is complete. This will allow booting a menuentry without a password to correct problematic settings.

g2_grub.pbkdf2.png

Links

Grub2

Grub2/Installing

Grub2/Troubleshooting

Grub2/Upgrading

External Links:

GNU GRUB Manual


CategoryBootAndPartition

Grub2/Passwords (last edited 2015-08-29 22:23:43 by sim31-3-78-226-144-120)