How to password protect the GRUB boot loader in Ubuntu

Password protecting the GRUB boot loader protects against unwanted rebooting and logging into your system, and stops unwanted users from gaining access to single user mode.

How to password protect the GRUB Boot Loader In Ubuntu

There are so many ways to make Linux more secure. Some steps bring very large improvements, while others only bring about incremental changes. Even though a change is small, doesn't mean it can't be mighty. One such security change is to password protect the GRUB boot loader. This not only protects against unwanted rebooting and logging into your system, but it also prevents unwanted users from gaining access to single user mode.

Single user mode allows you to boot Ubuntu into a special mode that includes root privileges. That means, without knowing the root password of a server someone could (with the understanding of how single user mode works) modify or gain access to your system. Granted, the malicious user would need physical access to the computer to do so, but nothing should be left to chance. This is why you should always password protect your GRUB boot loader in Ubuntu (and other Linux distributions).

I'm going to demonstrate this process on Ubuntu Server 18.04, but the process should work on nearly any Ubuntu version (and its derivatives).

SEE: Information security policy template download (Tech Pro Research)

Practice first

Although this process isn't terribly difficult, I do recommend practicing the steps on a virtual machine first. You don't want to just dive into this on a production machine, only to find you've locked yourself out, and the system won't boot.,

Setting the GRUB password

The first thing you must do is set the GRUB password. Log into your machine and issue the following command:


You will be prompted to create and verify a password for GRUB (Figure A).

Figure A

Figure A: Creating a password for GRUB.

Once that completes, the command will generate a hashed password. The hash will begin with grub and end with a long string of characters. You'll need to copy that down.

Next, we need to add the new hash to 00_header file. Issue the command:

sudo nano /etc/grub.d/00_header

At the bottom of that file, paste the following:

cat << EOF
set superusers="admin"
password_pbkdf2 admin HASH

where HASH is the hash generated earlier.

Save and close that file. Update GRUB with the command:

sudo update-grub

Booting up and logging in

Reboot your system. Soon after the Ubuntu splash screen appears, you should be prompted to type a username. In the configuration above we created the admin user, which will require the password we added with the grub-mkpasswd-pbkdf2 command. Once you type the username, hit Enter, and you'll be prompted for the password (Figure B).

Figure B

Figure B: The password prompt to continue booting into Single User mode.

Once you've successfully typed the password, you'll either find yourself in Single User mode (if you opted for that boot method) or at the login prompt.

Use with caution

As I mentioned, you will want to practice this with a virtual machine, before you apply it to any system in production. Locking down the GRUB boot loader can go a long way to protecting your Linux systems. It's not a massive change, but it's one that offers significant dividends in the end.

Also see

Image: Jack Wallen

By Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic, The New Stack, and Linux New Media. He's covered a variety of topics for over twenty years and is an avid promoter of open source. For more news about Jack Wallen, visit his website jackwallen....