If you use Linux in your data center, on your company network, or even at home, you want to make sure it is as secure as possible. As you might have come to understand, there are so many routes to a heightened security with the open source platform. One path that is often overlooked is password protecting the GRUB menu. Once this has been done, a server or desktop cannot be booted without first entering a password at the GRUB menu.
Do note: Although this is great for security purposes, if you have to reboot a server remotely you won’t be able to without someone physically there to enter the credentials (unless this server or desktop is a virtual machine, and you have access to the host). Even so, adding an extra layer of security is always a plus.
Let’s make this happen. I’ll be demonstrating with Ubuntu Server 16.04.
Read to type?
A quick warning: I’ve tested this numerous times and it has never failed me. That doesn’t mean it won’t fail you. To that end, please make sure you test this on a non-production server first. And always, always, always … backup your data before making such changes!
The command necessary to add the GRUB password is not included in Ubuntu Server by default. In order to add it, you must run a quick installation command. Open a terminal window and issue the command:
sudo apt install grub-common
That’s it. You’re now ready to password protect the boot process of Ubuntu.
Adding the password
Adding the password does require that you copy and paste a key. To that end, you must be logged into your Ubuntu server in such a way that enables copy and paste. So if you’re working with a virtual machine, make sure it allows you to copy the key. If it doesn’t, you can always secure shell into the server, and then follow the steps below.
The first thing you must do is create the password. Issue the command sudo grub-mkpasswd-pbkdf2. You will be prompted to enter and verify a new password for the GRUB menu. Once you’ve successfully verified the password, your key (a very long string of characters) will be displayed. Copy that key to your clipboard, or to another document). With that key copied, it must be added to the /etc/grub/grub.cnf file. Issue the command sudo nano /etc/grub/grub.cnf and then add the following to the bottom of the file:
password_pbkdf2 root KEY
Where KEY is the key generated when you created the password.
Save and close that file.
Finally, issue the command sudo grub-mkconfig -o /boot/grub2/grub.cfg. After this command completes, reboot your machine. After the initial splash screen, you will be prompted for a user and password. The username is root and the password is the password you created after running the sudo grub-mkpasswd-pbkdf2 command. Once you’ve entered the correct credentials, the server will boot and land on the login prompt.
Congrats, you’ve password protected the boot process of your Ubuntu Server. Just remember any time you reboot that server, you will have to enter the credentials for the boot process to complete.