Secure Your Computer, Part 2: Password-Protect the GRUB Bootloader on Dual-Booted PCs

Password-Protect the GRUB Bootloader on Dual-Booted PCs

There is a near-infinite amount of ways a computer can be broken into. But that does not mean that there isn't a reason to secure our computers as best as we possibly can. It's like the principles of a secure house. Which are the most secure houses? The ones with locks and advanced alarms, obviously, but not for the reasons people normally think.

Do alarms and locks make a house impossible to break into? In truth, it's not much more difficult than a house with a simple knob-lock. But a burglar would go for the house that is an easy target, just the same as a hacker would normally attack the weakest computer.

In this Null Byte, we are going to be setting a password on our GRUB bootloader. With this, we can set passwords on individual operating systems, to restrict access to whichever ones that we please. I will be doing this under Arch Linux, but the commands will be the same across all Linux platforms.

Password Protect GRUB

Text in bold means they are commands that need to be entered in a terminal emulator.

To password protect entries in GRUB, we have to use GRUB's built-in tool, grub-md5-crypt. This generates an MD5 hash for storage in the /boot/grub/menu.lst file. It has to be stored in that file because when you enter the password when it requests it, it needs the hash to compare the password to.

Let's get started!

  1. Generate the MD5 hash for the password:
        grub-md5-crypt
  2. Type your password and then re-enter it to verify. It should give an output similar to the following:
        # grub-md5-crypt
        Password:
        Retype password:
        $1$ZOGor$GABXUQ/hnzns/d5JYqqjw
  3. From the hash that it returns (the last line) edit your menu.lst file accordingly:
        sudo nano /boot/grub/menu.lst
  4. Make it look like this, right below the color specifications:
        # general configuration
        timeout 5
        default 0
        color light-blue/black light-cyan/blue
        password --md5 $1$ZOGor$GABXUQ/hnzns/d5JYqqjw
  5. Then, scroll down until you find the OS's and add lock as an option to the ones you want to have a password:
        # (0) Arch Linux
        title Arch Linux
        lock
        root (hd0,1)
        kernel /boot/vmlinuz-linux root=/dev/disk/by-label/Arch_Linux ro
        initrd /boot/initramfs-linux.img

After that, we can call it at quits! Our box is a little more secure. This will stop people from booting a private OS, an extra layer of security on top of a BIOS and OS password.

Follow me on Twitter and check out our IRC chat room!

Image via techiemania

6 Comments

Great series! I guess a part 3 with protecting your whole hard drive comes next? ^_^

You got it! Drive encryption!

Yeah! Not just a Drive though, a Drive that boots an OS! If it is possible.

Just out of curiosity, if you were to change "grub-md5-crypt" to "grub-sha256-crypt" that would be valid still? I forget the libraries name that stores all of those, but I think most OS' have md4, md5, sha224, sha256, sha384, and sha512 available out of the box..

Grub2 uses a different encryption method entirely to the antiquated original grub. The original grub uses md5 passes the newer grub2 uses sha-512.

Share Your Thoughts

  • Hot
  • Latest