In my last article I shared the steps to protect GRUB2 from booting a kernel without password, now in this article I will share the steps to set GRUB2 password for protecting the grub2 file on RHEL / CentOS 7. So that non-authorised users cannot modify the grub entry at the boot loader stage.

set up root password using grub2 setpassword rhel7

But before we start you must know GRUB2 offers two types of password protection:

So there are two definitions when we talk about set GRUB2 password in Linux. Earlier this was achieved using grub2-mkpasswd-pbkdf2 but starting with RHEL 7.2 the recommended tool to set GRUB2 password is by using grub2-setpassword.

 

How GRUB2 protection works?

You can check /etc/grub.d/01_users file which will have below content

#!/bin/sh -e
cat << EOF
if [ -f \${prefix}/user.cfg ]; then
  source \${prefix}/user.cfg
  if [ -n "\${GRUB2_PASSWORD}" ]; then
    set superusers="root"
    export superusers
    password_pbkdf2 root \${GRUB2_PASSWORD}
  fi
fi
EOF

 

and the same will be available inside /boot/grub2/grub.cfg

### BEGIN /etc/grub.d/01_users ###
if [ -f ${prefix}/user.cfg ]; then
  source ${prefix}/user.cfg
  if [ -n "${GRUB2_PASSWORD}" ]; then
    set superusers="root"
    export superusers
    password_pbkdf2 root ${GRUB2_PASSWORD}
  fi
fi
### END /etc/grub.d/01_users ###

So basically here the grub checks for /boot/grub2/user.cfg to get the GRUB2_PASSWORD and if found it will set the respective password for the provided superuser which here is root. The same password is then assigned using password_pbkdf2

 

Steps to set GRUB2 password

First of all create a password using grub2-setpassword and root user.

# grub2-setpassword
Enter password:
Confirm password:

This command will create (if already not existing) or update the content of /boot/grub2/user.cfg with the hash password

# cat /boot/grub2/user.cfg
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.BB05A464F1E8C1AFC62CAE808679084D07B2DB9635934A8B7640BF84329455114E36001854108B7080D0A8A6335CBCBBA3E7B86BDF7468F307EE4EEFDCC294E2.CED195B269E2C60A94B5C61EFCF6B610383C306D5313CDB65DBE8063C7B8BDB1E571BD4661D398A7626878BF6055435658741D804F01A8E679DC69E8510B72A0
IMPORTANT NOTE:
You do not need to rebuild your initramfs since the grub2.cfg already contains all the required function to check for grub password during boot loader stage.

 

Continue with the reboot of your Linux node to validate your changes. When you get the splash screen with the grub menu, press e to edit the highlighted kernel

set grub2 password remove grub2 password in rhel 7

It will prompt you for username and password. here the username is root and the password will the one you used with grub2-setpassword

How to set GRUB2 password using grub2-setpassword (RHEL / CentOS 7)

If the entries match then you will get the grub2.cfg content for editing purpose.

 

Steps to remove GRUB2 password

To remove GRUB2 password you must delete the /boot/grub2/user.cfg file or clear the content of this file. So when there is no GRUB2_PASSWORD defined, so the kernel will not prompt for one when some attempts to edit the grub menu.

So let us remove the user.cfg file containing GRUB2_PASSWORD

# rm -f /boot/grub2/user.cfg
IMPORTANT NOTE:
You do not need to rebuild your initramfs since the grub2.cfg already contains all the required function to check for grub password during boot loader stage.

Now reboot your system to validate the changes.

 

Lastly I hope the steps from the article to set GRUB2 password and remove GRUB2 password in RHEL / CentOS 7 Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

Leave a Reply

Your email address will not be published. Required fields are marked *