Setting a boot loader password

What is boot loader?

A bootloader (boot program, bootstrap loader) is a special software that sits under the Linux operating system and after we power-up our system, a bootloader fires up the Linux kernel with kernel parameters, together with initial RAM disk or a service called initrd (init for initial, r for RAM, d for disk).

Linux kernel is the core of Linux operating system, and after the boot, it starts the init process (init for initialization). The initrd is loaded as part of the kernel boot procedure. On the other side, initrd provides a storage space for loading critical files into memory before the real root file system can be mounted.

With systems that use BIOS, a boot loader lives in MBS (Master Boot Record) and it uses first 512 bytes of the disk. Systems that use UEFI, store boot loader in a special partition called EFI System Partition. A boot loader is loaded by UEFI or BIOS right after the successful POST which is a self-test process performed after the computer is powered on. The most popular boot loader for Linux operating systems is GRUB (Grand Unified Bootloader). GRUB supports both BIOS and UEFI and it handles all popular Linux file systems (BTRFS, EXT4, VFAT, XFS). Modern GRUB, compared to GRUB Legacy released in 1995, is more cleaner, powerful and safer.

Important to know:

  • Boot loader is software that powers up the Linux kernel and initrd process.
  • Linux kernel is the core of Linux operating systems and he starts init process.
  • In BIOS based systems, boot loader is stored in MBS.
  • In UEFI based systems, a boot loader is stored in EFI System Partition, and is loaded right after POST.
  • GRUB is boot loader used for all popular Linux file systems.

How to set a boot loader password

Boot loader password is used when we want to create more security of one system. By setting a boot loader password, we are creating so called “server hardening”. Server hardening includes security implementations that result in securing the system by many layers and setting a boot loader password is one of them.

# cd /etc/grub.d

grub.d is a directory under the /etc/ directory which stores configuration files for GRUB. To set a password, we will use text editor and modify 01_users file.

# nano /etc/grub.d/01_users

set superusers="themozak"
password themozak themozak-password

Save the the file and go back to grub.d directory. Next thing to do, is to edit 10_linux file in the same directory.

# nano /etc/grub.d/10_linux

CLASS="--class gnu-linux --class gnu --unrestricted --class os"

Locate the CLASS variable and remove the —unrestricted argument, save the file and exit nano.

Re-configuring GRUB files

After the changes have been made, we must reconfigure GRUB .conf files. To do so, navigate to /boot/grub2/ directory and make a backup copy of grub.cfg file.

# cd /boot/grub2/
# cp grub.cfg grub.cfg.bak

Then, use grub2-mkconfig command to generate new GRUB configuration files and overwrite the grub.cfg. Because of this, we made a .bak file in case something bad happens. When grub2-mkconfig finishes creating GRUB files, reboot your machine.

# grub2-mkconfig -o /boot/grub2/grub.cfg
# reboot

Leave a Reply