Securing GRUB

Why?
In most cases the standard GRUB installation is not secure. This means everyone that has physical access to the computer may change settings for the boot up. In doing so one might boot into a single-user mode without being asked for a password. This way your system is vulnerable to an attack.

Using the security features from GRUB you can secure the boot menu and every entry if desired. The advantage over LILOs plain text password is that GRUB uses a MD5 encrypted password which can not be read simply by reading the GRUB configuration file.

How?
To generate the MD5 password enter the GRUB shell (grub): grub> md5crypt Password: ********** Encrypted: $1$wgf8G0$Tt7XAsoiEAOU4PALAzkaL0 Copy the encrypted password and exit the GRUB shell (quit). You need to edit the GRUB configuration (/boot/grub/menu.lst) and insert the following line (before the title-Sections): password --md5 PASSWORD Swap PASSWORD with the above created MD5 password. This way GRUB prevents someone from editing the boot up commands by asking for your password. If you want to protect a boot menu entry from being booted insert the line lock right after title. Entries before lock can be executed so it's important where lock is inserted!

Example
default 0 fallback 1 timeout 10 password --md5 $1$wgf8G0$Tt7XAsoiEAOU4PALAzkaL0 title Linux-2.4.25 root (hd0,4) kernel /bzImage-2.4.25-super root=/dev/hda6 ro title Linux-2.4.22-supermount-acpi lock root (hd0,4) kernel /bzImage-2.4.22-super-acpi root=/dev/hda6 ro