HostOnNet Blog

Password Protect Grub 2 in Ubuntu/Debian

Posted on February 12, 2017 by admin

Looking for Linux Server Admin or WordPress Expert? We can help.

Contact Us

Password Protect Grub 2 in Ubuntu/Debian

First you need to create password, this can be done by running grub-mkpasswd-pbkdf2

root@hon-vpn:~# grub-mkpasswd-pbkdf2
Enter password: 
Reenter password: 
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.E421A6997EBAF6E49B05AC950CC8154A4B9D703C8498E2916DCC31B0FC9F11B6B53E16B34DD09A1F90250E4E36AB930C6BED3C9D3B01D010A7B377F5CEF4B2AA.C5B99B66841C5325A1175AF05D50344260B6FC84912E2B1C591A085C0C0ECCE74B1661703F344E372ADEE67D409A3B538047EC437983D723991C5168979F8789
root@hon-vpn:~#

Now edit file /etc/grub.d/00_header

vi /etc/grub.d/00_header

Add following content at the end of the file

cat << EOF
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.E421A6997EBAF6E49B05AC950CC8154A4B9D703C8498E2916DCC31B0FC9F11B6B53E16B34DD09A1F90250E4E36AB930C6BED3C9D3B01D010A7B377F5CEF4B2AA.C5B99B66841C5325A1175AF05D50344260B6FC84912E2B1C591A085C0C0ECCE74B1661703F344E372ADEE67D409A3B538047EC437983D723991C5168979F8789
EOF

superuser can be any user name.

If you wanted to allow users boot with out entering password, edit file /etc/grub.d/10_linux and add --unrestricted to boot entry.

vi /etc/grub.d/10_linux

Find

echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"

Replace with

echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' --unrestricted {" | sed "s/^/$submenu_indentation/"

For disabling Recovery and Advanced Options grub menu entry, edit /etc/default/grub

vi /etc/default/grub

Add following 2 times

GRUB_DISABLE_RECOVERY="true"
GRUB_DISABLE_SUBMENU=y

Now run update-grub

root@hon-vpn:~# update-grub
Generating grub configuration file ...
Found background image: /usr/share/images/desktop-base/desktop-grub.png
Found linux image: /boot/vmlinuz-3.16.0-4-amd64
Found initrd image: /boot/initrd.img-3.16.0-4-amd64
done
root@hon-vpn:~#

You can download modified files from

https://blog.hostonnet.com/wp-content/uploads/2017/02/grub-password.tar.gz

Posted in Linux

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.