OS: centOS 6.0
Some times it becomes neccessary to protect the grub.conf with password in order to prevent any user or other system administrator to edit the grub file during reboot.
Example during boot up after BIOS initialization it executes the grub file and shows the operating system menus. At this point, if we press “e” then it will allow the user to edit the grub file for that OS.
1. General encryption
linuxdba --> cat /etc/grub.conf
default=0
timeout=2
password=123456
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS Linux (2.6.32-71.29.1.el6.i686)
root (hd0,0)
kernel /vmlinuz-2.6.32-71.29.1.el6.i686 ro root=UUID=952ed41c-139d-4d77-a31c-e1c8ec15f402 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto rhgb quiet
initrd /initramfs-2.6.32-71.29.1.el6.i686.img
2. MD5 encryption
Different OS provides different level of protection to avoid this. In redhat, we have some thing called grub-md5-crypt. Using grub-md5-crypt utility we can protect the grub file from updation by unknown user. Only users who are aware of grub password will be able to edit the grub file during boot as it will ask for password.
Following are the steps to generate md5 envrypted password and to protect grub file.
2.1
linuxdba -->grub-md5-crypt
Password:
Retype password:
$1$E2lbI0$pBgWrEj.gAjYQLKv4aDKU/
It will ask for password and confirmation for the same. Once you enter password it will generate a 32 character string which is an encrypted form of your password.
2.2
Make following entry in /etc/grub.conf just before “title” starts
linuxdba -->vi /etc/grub.conf
password --md5 $1$E2lbI0$pBgWrEj.gAjYQLKv4aDKU/
linuxdba -->cat /etc/grub.conf
default=0
timeout=2
#password=123456
password --md5 $1$E2lbI0$pBgWrEj.gAjYQLKv4aDKU/
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS Linux (2.6.32-71.29.1.el6.i686)
root (hd0,0)
kernel /vmlinuz-2.6.32-71.29.1.el6.i686 ro root=UUID=952ed41c-139d-4d77-a31c-e1c8ec15f402 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto rhgb quiet
initrd /initramfs-2.6.32-71.29.1.el6.i686.img
Reboot the system. This time when it comes to menu, you will see it ask us to press “p” in order to enter the password
Reference Page: http://avdeo.com/2008/09/08/protecting-grub-file-using-md5-password-encryption/