HOWTO: Password protect your GRUB entries

HungSquirrel

If you don't want someone booting your machine without permission, you can add a password to your GRUB entries. You can add a password only to specific entries if you wish; this will require a user to enter a password before loading only those boot entries you protect. This can be useful when done on your Recovery Mode entries, which bring up a passwordless root login by default.

To get started, let's first encrypt the password we want to use. Open up a terminal and enter the grub command. This brings up a grub shell. In this shell, enter the md5crypt command. When prompted, type in the password you want on your grub entries. (Don't worry, this won't write anything to your files!) After pressing Enter, you will be given an encrypted password string. Copy the string to your clipboard. Enter quit to exit the grub shell and return to bash.

Code:

    GNU GRUB  version 0.95  (640K lower / 3072K upper memory)

 [ Minimal BASH-like line editing is supported.  For the first word, TAB
   lists possible command completions.  Anywhere else TAB lists the possible
   completions of a device/filename. ]

grub> md5crypt

Password: *************
Encrypted: $1$w7Epf0$vX6rxpozznLAVxZGkcFcs.

grub>

Now that we have an encrypted password, it's time to add it to grub. Using sudo, open up /boot/grub/menu.lst using your favorite text editor.

After the "initrd" line for each entry you want to password protect, start a new line beginning with password --md5 and paste in your newly-encrypted password. Using the above example password on the i386 recovery entry, this:

Code:

title Ubuntu, kernel 2.6.8.1-2-386 (recovery mode)
        root (hd1,2)
        kernel /boot/vmlinuz-2.6.8.1-2-386 root=/dev/hdb3 ro single
        initrd /boot/initrd.img-2.6.8.1-2-386

Becomes this:

Code:

title Ubuntu, kernel 2.6.8.1-2-386 (recovery mode)
        root (hd1,2)
        kernel /boot/vmlinuz-2.6.8.1-2-386 root=/dev/hdb3 ro single
        initrd /boot/initrd.img-2.6.8.1-2-386
        password --md5 $1$w7Epf0$vX6rxpozznLAVxZGkcFcs.

You must add such a line after every entry you want to password protect. As I mentioned earlier, I password protected my recovery mode entries out of sheer paranoia.

Save the file, and reboot. (The first time you try this, I suggest only doing it to one entry so you can test it to make sure it works, and you can still use another entry to boot your machine in case something went wrong.)

For a bit of added peace of mind, you can prevent everyone except root from reading /boot/grub/menu.lst by doing:

Code:

sudo chmod 600 /boot/grub/menu.lst

jdong

Let's add a few disclaimers:

WARNING #1: This is not failproof. Duh, nothing ever is. It doesn't take much effort to pull out a LiveCD and bypass this.

WARNING #2: Don't use an 'important password' for this! The password can be read through a LiveCD and such. Yes -- even if you do chmod it. And you can't store GRUB on an encrypted partition, either! LOL.

11:26 AM

Don't leave it alone.

If you want to make sure your information is reasonably secure when you're not around, move /home, /var, /tmp and /root into /usr and encrypt /usr. If you want to make sure no one can even boot it, setup a bios password and lock the case.

Oh... and make sure you always turn the machine off when you're not around.

Anything else is just adding inconvenience for nothing.

Ramses de Norre

Quote:

Originally Posted by jdong

WARNING #2: Don't use an 'important password' for this! The password can be read through a LiveCD and such. Yes -- even if you do chmod it. And you can't store GRUB on an encrypted partition, either! LOL.

They can only read the md5sum, don't they? And as far as I know it's almost impossible to retain the password from a dirty md5 hash like the ones created by md5crypt (dirty means there are random characters inserted).

zasf

Quote:

Originally Posted by jdong

Let's add a few disclaimers:

WARNING #1: This is not failproof. Duh, nothing ever is. It doesn't take much effort to pull out a LiveCD and bypass this.

WARNING #2: Don't use an 'important password' for this! The password can be read through a LiveCD and such. Yes -- even if you do chmod it. And you can't store GRUB on an encrypted partition, either! LOL.

what if you also password protect BIOS settings and you don't allow the comp to be booted via CDROM? I think the combination of grub and bios password protected is a good solution.. if you assume that nobody would steal your comp and mount the hard disk on another machine

toxic-hero

what if i have a dual boot system with ubuntu & windoze? i set up a password to my ubuntu recovery mode boot. so, do i also have to set up a password to a windoze boot? and how to do that???

toxic

virx · 01:55 AM

Now I have to enter password every time I boot.

Is it possible to make GRUB ask for password only if somebody tries to edit GRUB lines during boot (wants to boot into single user mode) or disable GRUB editing during boot (disable 'e' key)?

EDIT: And the answere is:
If I put
password --md5 $1$w7Epf0$vX6rxpozznLAVxZGkcFcs.
before kernels and titles (check menu.lst, where password is commented out),
I get what I want

soul_rebel · 01:39 AM

This "guide" is really imprecise!
You don't need to manually add the password line to every boot stanza you want to lock!
Also in this way you don't secure the interactive prompt!

You add the password line before any boot stanza, just as showed in the file's comments.

Then you add a line that says:

Code:

lock

to any static entry you wish to password protect. Static entry are before the line

Code:

### BEGIN AUTOMAGIC KERNELS LIST

and after

Code:

### END DEBIAN AUTOMAGIC KERNELS LIST

Any non-linux os as a static entry.

For recovery mode, you want to change the line:

Code:

# lockalternative=false

to:

Code:

# lockalternative=true

Leaving the initial comment.
After that you run

Code:

update-grub

.
This way every time you update the kernel, the recovery entry will be locked automatically.

Please fix the first post.

ferthur_opensource

The last time I checked, most computers these days offer a "Hard Drive Lock" password option in their BIOS. Using this means that even if your HDD is moved to a different computer, or a liveCD is used, the data still cannot be read from the drive. That alone is a pretty decent measure to prevent people from booting your computer without your permission.

A little off topic as it doesn't cover GRUB, but all the same it does deal with boot-time security.

toxic-hero

does grub-md5-crypt use salt? i read that hashes without salt are much easier to crack.

toxic

December 6th, 2004	#1
HungSquirrel Ubuntu Extra Shot Join Date: Oct 2004 Location: Mobile, AL, USA Beans: 336 Ubuntu 8.10 Intrepid Ibex	HOWTO: Password protect your GRUB entries If you don't want someone booting your machine without permission, you can add a password to your GRUB entries. You can add a password only to specific entries if you wish; this will require a user to enter a password before loading only those boot entries you protect. This can be useful when done on your Recovery Mode entries, which bring up a passwordless root login by default. To get started, let's first encrypt the password we want to use. Open up a terminal and enter the grub command. This brings up a grub shell. In this shell, enter the md5crypt command. When prompted, type in the password you want on your grub entries. (Don't worry, this won't write anything to your files!) After pressing Enter, you will be given an encrypted password string. Copy the string to your clipboard. Enter quit to exit the grub shell and return to bash. Code: GNU GRUB version 0.95 (640K lower / 3072K upper memory) [ Minimal BASH-like line editing is supported. For the first word, TAB lists possible command completions. Anywhere else TAB lists the possible completions of a device/filename. ] grub> md5crypt Password: ************* Encrypted: $1$w7Epf0$vX6rxpozznLAVxZGkcFcs. grub> Now that we have an encrypted password, it's time to add it to grub. Using sudo, open up /boot/grub/menu.lst using your favorite text editor. After the "initrd" line for each entry you want to password protect, start a new line beginning with password --md5 and paste in your newly-encrypted password. Using the above example password on the i386 recovery entry, this: Code: title Ubuntu, kernel 2.6.8.1-2-386 (recovery mode) root (hd1,2) kernel /boot/vmlinuz-2.6.8.1-2-386 root=/dev/hdb3 ro single initrd /boot/initrd.img-2.6.8.1-2-386 Becomes this: Code: title Ubuntu, kernel 2.6.8.1-2-386 (recovery mode) root (hd1,2) kernel /boot/vmlinuz-2.6.8.1-2-386 root=/dev/hdb3 ro single initrd /boot/initrd.img-2.6.8.1-2-386 password --md5 $1$w7Epf0$vX6rxpozznLAVxZGkcFcs. You must add such a line after every entry you want to password protect. As I mentioned earlier, I password protected my recovery mode entries out of sheer paranoia. Save the file, and reboot. (The first time you try this, I suggest only doing it to one entry so you can test it to make sure it works, and you can still use another entry to boot your machine in case something went wrong.) For a bit of added peace of mind, you can prevent everyone except root from reading /boot/grub/menu.lst by doing: Code: sudo chmod 600 /boot/grub/menu.lst __________________ $ whatis themeaningoflife themeaningoflife: not found

December 11th, 2004	#2
jdong Ultimate Coffee Grinder Join Date: Oct 2004 Location: Cambridge. MA Beans: 5,070 Ubuntu 8.10 Intrepid Ibex	Re: HOWTO: Password protect your GRUB entries Let's add a few disclaimers: WARNING #1: This is not failproof. Duh, nothing ever is. It doesn't take much effort to pull out a LiveCD and bypass this. WARNING #2: Don't use an 'important password' for this! The password can be read through a LiveCD and such. Yes -- even if you do chmod it. And you can't store GRUB on an encrypted partition, either! LOL.

December 11th, 2004	#3
poptones Guest Beans: n/a	If you don't want someone booting your computer... Don't leave it alone. If you want to make sure your information is reasonably secure when you're not around, move /home, /var, /tmp and /root into /usr and encrypt /usr. If you want to make sure no one can even boot it, setup a bios password and lock the case. Oh... and make sure you always turn the machine off when you're not around. Anything else is just adding inconvenience for nothing. Last edited by poptones; December 11th, 2004 at 11:26 AM..

April 25th, 2007	#6
toxic-hero First Cup of Ubuntu Join Date: Dec 2006 Location: ljubljana, slovenia Beans: 11 Kubuntu 9.04 Jaunty Jackalope	Re: HOWTO: Password protect your GRUB entries what if i have a dual boot system with ubuntu & windoze? i set up a password to my ubuntu recovery mode boot. so, do i also have to set up a password to a windoze boot? and how to do that??? toxic

May 9th, 2007	#7
virx 5 Cups of Ubuntu Join Date: Apr 2006 Beans: 40	Re: HOWTO: Password protect your GRUB entries Now I have to enter password every time I boot. Is it possible to make GRUB ask for password only if somebody tries to edit GRUB lines during boot (wants to boot into single user mode) or disable GRUB editing during boot (disable 'e' key)? EDIT: And the answere is: If I put password --md5 $1$w7Epf0$vX6rxpozznLAVxZGkcFcs. before kernels and titles (check menu.lst, where password is commented out), I get what I want Last edited by virx; May 9th, 2007 at 01:55 AM..

May 23rd, 2007	#8
soul_rebel Way Too Much Ubuntu Join Date: Mar 2005 Location: Italy Beans: 224	Re: HOWTO: Password protect your GRUB entries This "guide" is really imprecise! You don't need to manually add the password line to every boot stanza you want to lock! Also in this way you don't secure the interactive prompt! You add the password line before any boot stanza, just as showed in the file's comments. Then you add a line that says: Code: lock to any static entry you wish to password protect. Static entry are before the line Code: ### BEGIN AUTOMAGIC KERNELS LIST and after Code: ### END DEBIAN AUTOMAGIC KERNELS LIST Any non-linux os as a static entry. For recovery mode, you want to change the line: Code: # lockalternative=false to: Code: # lockalternative=true Leaving the initial comment. After that you run Code: update-grub . This way every time you update the kernel, the recovery entry will be locked automatically. Please fix the first post. __________________ Adopt an unanswered post! Do not learn unix like "type this to do that", get some real knowledge. My blog Last edited by soul_rebel; May 23rd, 2007 at 01:39 AM..

May 25th, 2007	#9
ferthur_opensource First Cup of Ubuntu Join Date: May 2007 Beans: 1	Re: HOWTO: Password protect your GRUB entries The last time I checked, most computers these days offer a "Hard Drive Lock" password option in their BIOS. Using this means that even if your HDD is moved to a different computer, or a liveCD is used, the data still cannot be read from the drive. That alone is a pretty decent measure to prevent people from booting your computer without your permission. A little off topic as it doesn't cover GRUB, but all the same it does deal with boot-time security.

June 2nd, 2007	#10
toxic-hero First Cup of Ubuntu Join Date: Dec 2006 Location: ljubljana, slovenia Beans: 11 Kubuntu 9.04 Jaunty Jackalope	Re: HOWTO: Password protect your GRUB entries does grub-md5-crypt use salt? i read that hashes without salt are much easier to crack. toxic

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode