Password Protect GRUB

Warning: !! PROCEED AT YOUR OWN RISK !!

Proceed At Your Own Risk

This sections cover things that are high risk because there is a possibility they can make your system unusable, or are considered unnecessary by many because the risks outweigh any rewards.

Why should you password protect GRUB?

If a bad actor has physical access to your server, they could use GRUB to gain unauthorized access to your system. On the other hands, you shouldn’t do it because if you forget the password, you’ll have to go through some work to recover the password.

Goals

  • auto boot the default Debian install and require a password for anything else

Notes

  • This will only protect GRUB and anything behind it like your operating systems. Check your motherboard’s documentation for password protecting your BIOS to prevent a bad actor from circumventing GRUB.

Steps - Password protect GRUB

  1. Create a Password-Based Key Derivation Function 2 (PBKDF2) hash of your password:

     grub-mkpasswd-pbkdf2 -c 100000
    

    The below output is from using password as the password:

    Enter password:
    Reenter password:
    PBKDF2 hash of your password is grub.pbkdf2.sha512.100000.2812C233DFC899EFC3D5991D8CA74068C99D6D786A54F603E9A1EFE7BAEDDB6AA89672F92589FAF98DB9364143E7A1156C9936328971A02A483A84C3D028C4FF.C255442F9C98E1F3C500C373FE195DCF16C56EEBDC55ABDD332DD36A92865FA8FC4C90433757D743776AB186BD3AE5580F63EF445472CC1D151FA03906D08A6D
    
  2. Copy everything after PBKDF2 hash of your password is , starting from and including grub.pbkdf2.sha512... to the end. You’ll need this in the next step.

  3. The update-grub program uses scripts to generate configuration files it will use for GRUB’s settings. Create the file /etc/grub.d/01_password and add the below code after replacing [hash] with the hash you copied from the first step. This tells update-grub to use this username and password for GRUB.

     #!/bin/sh
     set -e
    
     cat << EOF
     set superusers="grub"
     password_pbkdf2 grub [hash]
     EOF
    

    For example:

    #!/bin/sh
    set -e
    
    cat << EOF
    set superusers="grub"
    password_pbkdf2 grub grub.pbkdf2.sha512.100000.2812C233DFC899EFC3D5991D8CA74068C99D6D786A54F603E9A1EFE7BAEDDB6AA89672F92589FAF98DB9364143E7A1156C9936328971A02A483A84C3D028C4FF.C255442F9C98E1F3C500C373FE195DCF16C56EEBDC55ABDD332DD36A92865FA8FC4C90433757D743776AB186BD3AE5580F63EF445472CC1D151FA03906D08A6D
    EOF
    
  4. Set the file’s execute bit so update-grub includes it when it updates GRUB’s configuration:

    sudo chmod a+x /etc/grub.d/01_password
    
  5. Make a backup of GRUB’s configuration file /etc/grub.d/10_linux that we’ll be modifying and unset the execute bit so update-grub doesn’t try to run it:

     sudo cp --archive /etc/grub.d/10_linux /etc/grub.d/10_linux-COPY-$(date +"%Y%m%d%H%M%S")
     sudo chmod a-x /etc/grub.d/10_linux.*
    
  6. To make the default Debian install unrestricted (without the password) while keeping everything else restricted (with the password) modify /etc/grub.d/10_linux and add --unrestricted to the CLASS variable.

     sudo sed -i -r -e "/^CLASS=/ a CLASS=\"\${CLASS} --unrestricted\"         # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")" /etc/grub.d/10_linux
    
  7. Update GRUB with update-grub:

     sudo update-grub
    

Licenses and Attributions


Speak Your Mind