3.2 Configuring a GRUB Password

If a system is not kept in a locked data center, and as an alternative to using any password protection mechanism built into the BIOS, you can add a degree of protection to the system by requiring a valid password be provided to the GRUB boot loader.

Note

Password protecting GRUB access prevents unauthorized users from entering single user mode and changing settings at boot time. It does not prevent someone from accessing data on the hard drive by booting into an operating system from a memory stick, or physically removing the drive to read its contents on another system.

To configure a GRUB password:

  1. Use the following command to generate the MD5 hash of your password:

    # /sbin/grub-md5-crypt
    Password: clydenw
    Retype password: clydenw
    $1$qhqh.1$7MQxS6GHg4IlOFMdnDx9S.
  2. Edit /boot/grub/grub.conf, and add a password entry below the timeout entry near the top of the file, for example:

    timeout=5
    password --md5 pwhash

    where pwhash is the hash value that grub-md5-crypt returned.

  3. If GRUB has been configured to boot multiple operating systems on the same machine, add a lock entry to after the title entry for each operating system, for example:

    title Windows
    lock

When you reboot the machine, you must press P and enter the password before you can access the GRUB command interface.

For more information, use the info grub command to access the GRUB manual.