In my last article I shared the steps to protect GRUB2 from booting a kernel without password, now in this article I will share the steps to set GRUB2 password for protecting the grub2 file on RHEL / CentOS 7. So that non-authorised users cannot modify the grub entry at the boot loader stage.
But before we start you must know GRUB2 offers two types of password protection:
- Password is required for modifying menu entries but not for booting existing menu entries;
- Password is required for modifying menu entries and for booting one, several, or all menu entries.
So there are two definitions when we talk about set GRUB2 password in Linux. Earlier this was achieved using grub2-mkpasswd-pbkdf2
but starting with RHEL 7.2 the recommended tool to set GRUB2 password is by using grub2-setpassword
.
How GRUB2 protection works?
You can check /etc/grub.d/01_users
file which will have below content
#!/bin/sh -e
cat << EOF
if [ -f ${prefix}/user.cfg ]; then
source ${prefix}/user.cfg
if [ -n "${GRUB2_PASSWORD}" ]; then
set superusers="root"
export superusers
password_pbkdf2 root ${GRUB2_PASSWORD}
fi
fi
EOF
and the same will be available inside /boot/grub2/grub.cfg
### BEGIN /etc/grub.d/01_users ###
if [ -f ${prefix}/user.cfg ]; then
source ${prefix}/user.cfg
if [ -n "${GRUB2_PASSWORD}" ]; then
set superusers="root"
export superusers
password_pbkdf2 root ${GRUB2_PASSWORD}
fi
fi
### END /etc/grub.d/01_users ###
So basically here the grub checks for /boot/grub2/user.cfg
to get the GRUB2_PASSWORD
and if found it will set the respective password for the provided superuser which here is root
. The same password is then assigned using password_pbkdf2
Steps to set GRUB2 password
First of all create a password using grub2-setpassword
and root
user.
# grub2-setpassword
Enter password:
Confirm password:
This command will create (if already not existing) or update the content of /boot/grub2/user.cfg
with the hash password
# cat /boot/grub2/user.cfg
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.BB05A464F1E8C1AFC62CAE808679084D07B2DB9635934A8B7640BF84329455114E36001854108B7080D0A8A6335CBCBBA3E7B86BDF7468F307EE4EEFDCC294E2.CED195B269E2C60A94B5C61EFCF6B610383C306D5313CDB65DBE8063C7B8BDB1E571BD4661D398A7626878BF6055435658741D804F01A8E679DC69E8510B72A0
grub2.cfg
already contains all the required function to check for grub password during boot loader stage.
Continue with the reboot of your Linux node to validate your changes. When you get the splash screen with the grub menu, press e
to edit the highlighted kernel
It will prompt you for username
and password
. here the username is root and the password will the one you used with grub2-setpassword
If the entries match then you will get the grub2.cfg content for editing purpose.
Steps to remove GRUB2 password
To remove GRUB2 password you must delete the /boot/grub2/user.cfg
file or clear the content of this file. So when there is no GRUB2_PASSWORD
defined, so the kernel will not prompt for one when some attempts to edit the grub menu.
So let us remove the user.cfg
file containing GRUB2_PASSWORD
# rm -f /boot/grub2/user.cfg
grub2.cfg
already contains all the required function to check for grub password during boot loader stage.Now reboot your system to validate the changes.
Lastly I hope the steps from the article to set GRUB2 password and remove GRUB2 password in RHEL / CentOS 7 Linux was helpful. So, let me know your suggestions and feedback using the comment section.