Secure Your Computer, Part 2: Password-Protect the GRUB Bootloader on Dual-Booted PCs
There is a near-infinite amount of ways a computer can be broken into. But that does not mean that there isn't a reason to secure our computers as best as we possibly can. It's like the principles of a secure house. Which are the most secure houses? The ones with locks and advanced alarms, obviously, but not for the reasons people normally think.
Do alarms and locks make a house impossible to break into? In truth, it's not much more difficult than a house with a simple knob-lock. But a burglar would go for the house that is an easy target, just the same as a hacker would normally attack the weakest computer.
In this Null Byte, we are going to be setting a password on our GRUB bootloader. With this, we can set passwords on individual operating systems, to restrict access to whichever ones that we please. I will be doing this under Arch Linux, but the commands will be the same across all Linux platforms.
Text in bold means they are commands that need to be entered in a terminal emulator.
To password protect entries in GRUB, we have to use GRUB's built-in tool, grub-md5-crypt. This generates an MD5 hash for storage in the /boot/grub/menu.lst file. It has to be stored in that file because when you enter the password when it requests it, it needs the hash to compare the password to.
Let's get started!
- Generate the MD5 hash for the password:
- Type your password and then re-enter it to verify. It should give an output similar to the following:
- From the hash that it returns (the last line) edit your menu.lst file accordingly:
sudo nano /boot/grub/menu.lst
- Make it look like this, right below the color specifications:
# general configuration
color light-blue/black light-cyan/blue
password --md5 $1$ZOGor$GABXUQ/hnzns/d5JYqqjw
- Then, scroll down until you find the OS's and add lock as an option to the ones you want to have a password:
# (0) Arch Linux
title Arch Linux
kernel /boot/vmlinuz-linux root=/dev/disk/by-label/Arch_Linux ro
After that, we can call it at quits! Our box is a little more secure. This will stop people from booting a private OS, an extra layer of security on top of a BIOS and OS password.