Grub - password protect boot entries in Grub using md5

Securing machines, from physical access compromise. Backups, user logins, encryption, BIOS (some mistook it as CMOS) access password protected, how about boot loader? It can potentially boot into single user mode and reset what ever password. Gotcha?

If grub is used, you're in luck. Grub is capable to apply password to every boot or every entry in it.

- run :
and it will present a prompt :

- type the command,

- key in the desired password when it prompts,
(for every character keyed in, it will replace with an asterisk *)

- after pressing enter, the encrypted key will appeared after the prompt :
Copy everything after the space, till the end of line.

- vim the file /boot/grub/menu.lst (the file name and location might vary, depends on your linux distribution)

- to have grub prompt the password every time it boots any entry, put the encrypted password from the above after the line "initrd" parameter in every entry. tag it with the parameter :
password --md5
e.g. :
initrd  /boot/initrd.img-2.6.27-11-generic     ### initrd mentioned
password --md5 $1$HAFDy$z/2TueUQFiruL5         ### tag mentioned

- to have grub protected from editing only (but no password needed to boot every entry), insert the encrypted password from the above into the first section of the file. insert also the command
into every entry.

- reboot and try it out!

Ciao !!!

No comments: