Skip to main content

Protect GRUB2 Entries with Passwords

By April 13, 2013No Comments

Typically when using GRUB boot-loader we use passwords to protect menu items and the menu itself. As you would expect this feature is available in GRUB2 and better. We define users and passwords and different users can have access to different items. First we create a “superuser”

		set superusers=”andrew”
		password andrew L1nux

Once a superuser is set then you need to enter those credentials to edit menu items during the boot phase. To control access to individual menu items such as the Single User Mode we have created, then we add users to those items:

		set superusers="andrew"
		password andrew L1nux
		password jane secret
		menuentry "Single User Mode" --users jane {
		insmod gzio
		insmod part_msdos
		insmod ext2
		set root=(hd0,1)
        	linux /boot/vmlinuz root=/dev/sda1 ro 1
        	initrd /boot/initrd

You can see we have created another user, Jane and set her password. She is not a superuser and as such has to be assigned access to resources. Adding –users to the menu item for Singe User Mode will require superuser rights to boot; adding –users jane will allow jane or the superuser to use this menu item. You will also see in the video how we encrypt passwords using grub-mkpasswd-pbkdf2.