How to add the GRUB password protection to the OS load process instead of when editing boot options

boot grub2 password

27,538

I have never done this, but hopefully this is what you're looking for.

10.2.7. Setting a Boot Password

Even before the operating system is booted, GRUB2 enables access to file systems. Users without root permissions can access files in your Linux system to which they have no access once the system is booted. To block this kind of access or to prevent users from booting certain operating systems, set a boot password.

[Important] Boot Password and Splash Screen:

If you use a boot password for GRUB2, the usual splash screen is not displayed.

As the user root, proceed as follows to set a boot password:

At the root prompt, encrypt the password using grub-mkpasswd-pbkdf2:

# grub-mkpasswd-pbkdf2
Password: ****
Reenter password: ****
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.9CA4611006FE96BC77A...

Paste the encrypted long string into the file /etc/grub.d/40_custom together with the set superusers command. Remember to keep the commented lines at the beginning:

set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.9CA4611006FE96BC77A...

Run grub-mkconfig -o /boot/grub/grub.cfg to import the changes into the main configuration file.

After you reboot, you will be prompted for username and password when trying to boot any menu entry. Enter root and the password you typed during the grub-mkpasswd-pbkdf2 command. If the credentials are correct, the system will boot the selected boot entry.

doc.opensuse.org - Chapter 10. The Boot Loader GRUB2: 10.2.7. Setting a Boot Password (altered slightly for Ubuntu)

27,538

Author by

slayernoah

Updated on September 18, 2022

Comments

slayernoah over 1 year

This is the current content of my grub.conf file.

# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/sda3
#          initrd /initrd-[generic-]version.img
#boot=/dev/sda
password --md5 $1$Xw8nQ1$/bLNi3DsrtmtKAgd.pBe0
default=0
timeout=10
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
# title My OS 1234 (2.6.32-358.el6.i686)
title Group 10 Linux Server
    root (hd0,0)
    kernel /vmlinuz-2.6.32-358.el6.i686 ro root=UUID=f9d7b7b0-3035-4c44-b7e2-97f995e995fb rd_NO_LUKS rd_NO_LVM LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
    initrd /initramfs-2.6.32-358.el6.i686.img

The user is prompted for the password only when they try to edit the boot options for the GRUB entry.

I need to change this so that users are prompted for the password before the OS is loaded.

Thank you!