If you think your Linux computer is very safe because you have a very long password for your user login you are totally wrong my friend. Anyone can easily bypass your login password if they can touch your computer keyboard when the computer is starting up. They do not need to be a super smart hacker to do this because they only need to press one key on the keyboard and write a very simple code to become the root administrator. This is a very big security hole on almost all Linux systems like Ubuntu, Fedora, CentOS, and Debian if you do not lock your GRUB bootloader. When you leave your laptop in a coffee shop or when you have a server in a shared office room someone can just restart the machine and take all your files inside. This guide will show you how to lock your GRUB with a password so nobody can change your boot settings and steal your admin power.
Many peoples do not know that the bootloader is the most weak part of a computer security because it starts before the operating system load. When your computer turn on it shows a menu that is called GRUB where you can choose which Linux kernel you want to start. If someone is standing in front of your computer they can just press the “e” key on their keyboard when this menu appears. The “e” key means edit and it opens a text editor where they can change how the Linux kernel starts. They can just go to the end of the line that starts with “linux” and add a small text like “rd.break” or “init=/bin/bash” to it. After they do this they just press Ctrl and X to boot the computer and the system will give them a root shell terminal without asking for any password at all. From this root shell they can mount your hard drive and change your root password to a new one or they can just read all your private pictures and school homework documents. This is very scary because it is so easy to do and it takes only one minute for anyone to hack your system like this.
To stop this bad thing from happening we must to set a password for the GRUB bootloader so that when someone try to press “e” to edit the boot menu the computer will ask them for a username and a password. If they do not know the password they cannot change anything and your system is safe. But we also want the computer to boot normally to the login screen without asking for a GRUB password every time we turn it on because if we restart our computer remotely we do not want it to get stuck waiting for a bootloader password. The tool we will use is called grub2-setpassword because it does exactly this smart thing and it is very easy to use even if you are not a professional Linux administrator.
Now we will do the tutorial step by step so you can make your Linux computer more safer today. Please read every step carefully and do not make any mistake because if you do a mistake you might not be able to boot your system easily.
Step 1: Open your terminal and check your user power
First you need to open your terminal application on your Linux desktop. You must have administrator privilege to do this tutorial because we are changing very deep system files. You can check if you can use sudo command by typing a simple command in your terminal. We will use the sudo command before our GRUB tools to make sure we have the root power.
Step 2: Generate the GRUB password
Now you must to run the special tool that will make the password hash for your bootloader. Type this command in your terminal and then press enter:
sudo grub2-setpassword
If you are using Ubuntu or Debian sometimes the command is a little bit different and you might need to use grub-mkpasswd-pbkdf2 but for CentOS, Fedora, and Red Hat the grub2-setpassword is the best tool because it is very simple. When you press enter the terminal will ask you to enter a password. Type a strong password that you will not forget. When you type the password you will not see any characters or stars on the screen because Linux hides it for security. Just type it blindly and press enter. Then the terminal will ask you to type the password again to confirm it. Type it again and press enter.
Step 3: Understand where the password goes
When you run the command in the step before, the system makes a very secure hash of your password using a helper called PBKDF2. This is a very good math algorithm that makes it very hard for hackers to guess your password even if they see the hash code. The system saves this hash code inside a file located at /boot/grub2/user.cfg. You do not need to edit this file yourself because the tool did it for you. But it is good to know where it is in case you want to delete it later if you do not want the password anymore. Only the root user can read this file so normal users on your computer cannot see your password hash.
Step 4: Update your GRUB configuration file
Now that the password hash is saved we must to tell the GRUB bootloader to use this password file when it starts up. If we do not update the configuration file the bootloader will not know that we have set a new password. To update the configuration you need to run the config maker tool. Type this command in your terminal:
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
Please be very careful with this command because the path of the file can be different depending on how your computer boots. If your computer uses the old BIOS system the path is /boot/grub2/grub.cfg. But if your computer is a modern computer that uses UEFI system then the path might be /boot/efi/EFI/centos/grub.cfg or /boot/efi/EFI/fedora/grub.cfg. If you are using Ubuntu the path is usually /boot/grub/grub.cfg. If you write the wrong path the command will not work or it will write the configuration to a wrong place and nothing will change. You can search where your grub config file is by running find /boot -name "grub.cfg" before you run the update command so you can be sure of the path.
Step 5: Test your new security settings
Now we must to check if our work is working properly. Save all your open documents and restart your computer. When the computer is starting up and you see the GRUB menu screen with the list of Linux systems quickly press the “e” key on your keyboard. If we did everything correct the screen should not open the editor text. Instead it should show a prompt that asks you to enter “Enter username:” and then “Enter password:”. The default username for GRUB is always “root” so you must type “root” for the username and then type the password that you created in Step 2. If you type it correct then the editor will open and you can edit things. If you do not type it correct the system will not let you change anything.
Step 6: Verify normal boot still works without password
After you test the edit mode restart your computer again and this time do not press any key. Just let the computer boot normally by itself. You will see that the computer boots all the way to your normal login screen without asking for any GRUB password. This is very good because it means if your computer power goes off and it restarts by itself when you are not at home it will still boot normally and your online services or home server will start running again without you needing to type a password at the physical keyboard. The password is only active when someone tries to edit the boot menu or enter the GRUB command line interface.
Sometimes people ask what happens if they forget this GRUB password. If you forget this password you will have a hard time if you need to fix your computer boot problems later. To fix a forgotten GRUB password you will need to boot your computer using a live USB Linux installer and mount your hard drive from there and then delete the /boot/grub2/user.cfg file. This is why you must write down your password somewhere safe or use a password that you can remember easily but other people cannot guess.
This security setup is very important for laptops because they can get lost or stolen very easily. If a bad guy gets your laptop he can use a USB live system or change the boot loader to see all your files. If you set this GRUB password and also use full disk encryption like LUKS then your laptop is extremely safe and nobody can steal your data even if they take the laptop physical body from you.
This small guide setting a GRUB bootloader password is a very necessary step for any Linux system that is not locked in a super secure room. By using the grub2-setpassword tool we made a password hash that stops people from getting a root shell with rd.break or init=/bin/bash commands. At the same time our system can still reboot by itself without getting stuck at the boot menu which is very useful for servers. This is a very simple thing to do but it makes your system security much more stronger than before.