Ubuntu – How to password protect Grub menu


How to password protect Grub menu from the ro recovery nomodeset command.
I want it to where no one unless you have the password to make changes to the menu to try to get into recovery.grub

Best Answer

Grub allows you to password protect its config and console, as well as individual operating system entries. Please note that this will not stop dedicated individuals, especially the ones that know what they are doing. But I assume you know that. Lets get started.

generate a password hash..

You could store your grub password in plain text but that is entirely insecure and anyone that had access to your account could quickly figure it out. To prevent this we hash the password using the grub-mkpasswd-pbkdf2 command, like so:

user@host~ % grub-mkpasswd-pbkdf2
Enter password: 
Reenter password: 
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.63553D205CF6E...  

While you type your password no characters will show in the terminal, this is to prevent people looking over your shoulders, etc. Now, copy the entirety of your hash with Ctrl+Shift+C.

protecting the config, console..


sudo nano /etc/grub.d/40_custom  

This will create a new configuration file called 40_custom in grub's configuration directory. Now add the lines:

set superusers="username"  
password_pbkdf2 username hash  

Where username is a username of your choice and hash is the hash we generated in the last command. Press Ctrl+O and then Ctrl+X to save and quit. Run:

sudo update-grub  

To finalize the changes. Now, when anyone attempts to edit the grub configuration or access a grub console it will prompt them for a username and password.

password protecting operating system entries..

Currently the only method to achieve this I can find is to edit the /boot/grub/grub.cfg manually. This is only temporary however as any new kernel update will rewrite this file and your passwords will be gone (note that this doesn't effect the console/editing password we set above). All other methods I have found so far are extremely out of date and I can no longer get them to work.

I've asked the grub mailing list if there is a newer method and will edit this answer as soon as I find out.

Related Question