Books / How To Secure A Linux Server / Chapter 7
Password Protect GRUB
Warning: !! PROCEED AT YOUR OWN RISK !!
Proceed At Your Own Risk
This sections cover things that are high risk because there is a possibility they can make your system unusable, or are considered unnecessary by many because the risks outweigh any rewards.
Why should you password protect GRUB?
If a bad actor has physical access to your server, they could use GRUB to gain unauthorized access to your system. On the other hands, you shouldn’t do it because if you forget the password, you’ll have to go through some work to recover the password.
Goals
- auto boot the default Debian install and require a password for anything else
Notes
- This will only protect GRUB and anything behind it like your operating systems. Check your motherboard’s documentation for password protecting your BIOS to prevent a bad actor from circumventing GRUB.
Steps - Password protect GRUB
-
Create a Password-Based Key Derivation Function 2 (PBKDF2) hash of your password:
grub-mkpasswd-pbkdf2 -c 100000
The below output is from using
password
as the password:Enter password: Reenter password: PBKDF2 hash of your password is grub.pbkdf2.sha512.100000.2812C233DFC899EFC3D5991D8CA74068C99D6D786A54F603E9A1EFE7BAEDDB6AA89672F92589FAF98DB9364143E7A1156C9936328971A02A483A84C3D028C4FF.C255442F9C98E1F3C500C373FE195DCF16C56EEBDC55ABDD332DD36A92865FA8FC4C90433757D743776AB186BD3AE5580F63EF445472CC1D151FA03906D08A6D
-
Copy everything after
PBKDF2 hash of your password is
, starting from and includinggrub.pbkdf2.sha512...
to the end. You’ll need this in the next step. -
The
update-grub
program uses scripts to generate configuration files it will use for GRUB’s settings. Create the file/etc/grub.d/01_password
and add the below code after replacing[hash]
with the hash you copied from the first step. This tellsupdate-grub
to use this username and password for GRUB.#!/bin/sh set -e cat << EOF set superusers="grub" password_pbkdf2 grub [hash] EOF
For example:
#!/bin/sh set -e cat << EOF set superusers="grub" password_pbkdf2 grub grub.pbkdf2.sha512.100000.2812C233DFC899EFC3D5991D8CA74068C99D6D786A54F603E9A1EFE7BAEDDB6AA89672F92589FAF98DB9364143E7A1156C9936328971A02A483A84C3D028C4FF.C255442F9C98E1F3C500C373FE195DCF16C56EEBDC55ABDD332DD36A92865FA8FC4C90433757D743776AB186BD3AE5580F63EF445472CC1D151FA03906D08A6D EOF
-
Set the file’s execute bit so
update-grub
includes it when it updates GRUB’s configuration:sudo chmod a+x /etc/grub.d/01_password
-
Make a backup of GRUB’s configuration file
/etc/grub.d/10_linux
that we’ll be modifying and unset the execute bit soupdate-grub
doesn’t try to run it:sudo cp --archive /etc/grub.d/10_linux /etc/grub.d/10_linux-COPY-$(date +"%Y%m%d%H%M%S") sudo chmod a-x /etc/grub.d/10_linux.*
-
To make the default Debian install unrestricted (without the password) while keeping everything else restricted (with the password) modify
/etc/grub.d/10_linux
and add--unrestricted
to theCLASS
variable.sudo sed -i -r -e "/^CLASS=/ a CLASS=\"\${CLASS} --unrestricted\" # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")" /etc/grub.d/10_linux
-
Update GRUB with
update-grub
:sudo update-grub