Cent OS 7 and most other Linux distributions use the GRUB2 boot loader. This guide shows you How to set the grub password in CentOS 7 and test it. The GRUB Menu can be protected by a password and this guide shows you how to set the grub password in CentOS 7.
What is GRUB2?
This menu shows you all the installed it was first invented by Sir Erich Stefan Boleyn in the year 1995. GRUB2 bootloader is used to load the kernel and the kernel loads the Operating System, In short GRUB is the Module which is used to start the Operating System.
These 4-steps are how to set the grub password in CentOS 7:
- Create an Encrypted Password using grub2-mkpasswd-pbkdf2
- Define Encrypted Password in /etc/grub.d/40_custom
- Refresh /boot/grub2/grub.cfg by grub2-mkconfig -o /boot/grub2/grub.cfg
- Test new password on Boot
YouTube Tutorial
Detailed Steps on setting the grub password in CentOS 7
Create an Encrypted Password
Create a password using the grub2-mkpasswd-pbkdf2 command:
[simterm]
# grub2-mkpasswd-pbkdf2
[root@centos7 grub.d]# grub2-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.440B11FE0ECAC09C69B18DD358758957HHIUH5EFC1F772E4D0F0F9E1005908EB2DDAECDA8D5975EBD594A89EF60697128C2631515992365958CDD61E3C3896E53.8789479587HFD79A57D46205EE9F4419B921598B8C05C593F12JOIJIO9271825279BBCD0C67AF810B961C91A8C8EB5D65127D3D3515292C6172F8E64
[/simterm]
Add the Encrypted Password to the Custom Configuration File
Make a copy of the text after your password is, we could add this directly in the main configuration file grub.cfg, but it is recommended not to edit directly so we put it into the /etc/grub.d/40_custom file it is good practice to make a backup copy of the file in case.
Then we can add that password into the /etc/grub.d/40_custom file:
[simterm]
# cp /etc/grub.d/40_custom /etc/grub.d/40_custom.backup
# vi /etc/grub.d/40_custom # Edit the GRUB Custom Menu
#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the ‘exec tail’ line above.
set superusers=”root”
password_pbkdf2 root grub.pbkdf2.sha512.10000.440B11FE0ECAC09C69B18DD358758957HHIUH5EFC1F772E4D0F0F9E1005908EB2DDAECDA8D5975EBD594A89EF60697128C2631515992365958CDD61E3C3896E53.8789479587HFD79A57D46205EE9F4419B921598B8C05C593F12JOIJIO9271825279BBCD0C67AF810B961C91A8C8EB5D65127D3D3515292C6172F8E64
[/simterm]
Update the grub.cfg File
Now we have added a new line into the grub file we need to refresh the grub.cfg file by using grub2-mkconfig command, and it is good practise to make a backup of grub.cfg file in case.
An then run the grub2-mkconfig to update grub.cfg file:
[simterm]
cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.backup
grub2-mkconfig -o /boot/grub2/grub.cfg
[/simterm]
We can confirm our password has been added into the GRUB2 Bootloader by cating the grub.cfg file:
[simterm]
cat /boot/grub2/grub.cfg
BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the ‘exec tail’ line above.
set superusers=”root”
password_pbkdf2 root grub.pbkdf2.sha512.10000.2F74BCD26B934CCD43446688BCB4D365862C8BD24461AC04D711F0403993D7571D056788565FAECCEE29B77141F070039A73F9C956DE532F98F93E819C4E842D.67ED723C2F6C4DAF8D42F26942228F678437E8F8569132C93439DF15C855FDBDA742226486
END /etc/grub.d/40_custom ###
[/simterm]
Testing the password
Reboot the system
[simterm]
# reboot
[/simterm]
During the boot process hit SPACE BAR at the GUB menu and hit e to edit the GRUB.
Enter in your Username and Password you defined before:
If the password works you will be able to edit the GRUB2 line entry as per screenshot:
So that is how we can protect the GRUB2 Bootloader in CentOS 7.