How to add password protection to GRUB2

These instructions are tested with Ubuntu desktop 12.04, but will probably be useful in other Linux distros with GRUB2 as well.

The goal is to block everything except booting the default system. In paricular, it should not be possible for anyone to boot into recovery mode, since that will bypass normal login and give root access directly.

  1. Run grub-mkpasswd-pbkdf2 from a terminal and enter the desired password, copy the output.
  2. Edit /etc/grub.d/40_custom and add this to the end:
    set superusers="root"
    password_pbkdf2 root output from grub-mkpasswd-pbkdf2 goes here
    password bogus bogus
  3. Make /etc/grub.d/40_custom non-readable for users:
    chmod o-r /etc/grub.d/40_custom
  4. Edit /etc/grub.d/10_linux according to this diff:
    <   printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}"
    >   if ${recovery} || ${in_submenu}; then
    >     printf "menuentry '${title}' ${CLASS} --users '' {\n" "${os}" "${version}"
    >   else
    >     printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}"
    >   fi
    <     echo "submenu \"Previous Linux versions\" {"
    >     echo "submenu \"Previous Linux versions\" --users '' {"
  5. Edit /etc/grub.d/20_memtest86+ according to this diff:
    < menuentry "Memory test (memtest86+)" {
    > menuentry "Memory test (memtest86+)" --users "" {
    < menuentry "Memory test (memtest86+, serial console 115200)" {
    > menuentry "Memory test (memtest86+, serial console 115200)" --users "" {
    < #menuentry "Memory test (memtest86+, experimental multiboot)" {
    > #menuentry "Memory test (memtest86+, experimental multiboot)" --users "" {
    < #menuentry "Memory test (memtest86+, serial console 115200, experimental multiboot)" {
    > #menuentry "Memory test (memtest86+, serial console 115200, experimental multiboot)" --users "" {
  6. Run update-grub

(I am not sure if it is possible to abuse memtest86+, but better safe than sorry.)

See this page for more information.

Please note that this by itself does not give you a secure system. It should be combined password protection for BIOS setup and for booting from removable media (CD-ROM) and USB devices. And you should not allow login without password in the main Linux system.

None of these measures protect from serious tampering with the hardware, such as removing the internal HDD and connecting it as non-boot device to another computer.

This entry was posted in Linux, security, Ubuntu. Bookmark the permalink.

2 Responses to How to add password protection to GRUB2

  1. A. S. M. Kaiser Harun says:

    Tutorial is nice .. but in rhel7 there is no update-grub command ..
    then how would that be possible ???

  2. barcelona says:

    An impressive share! I have just forwarded this onto a co-worker who was doing a
    little research on this. And he actually ordered me lunch due
    to the fact that I stumbled upon it for him… lol. So allow me to reword this….
    Thanks for the meal!! But yeah, thanks for spending the time to discuss this subject here on your internet site.

Comments are closed.