I thought I might write a little post about adding a little security to your Ubuntu box. You can use a program within GRUB called md5crypt for this task. You choose a password and md5crypt will generate an encrypted string hash for you. Plug this into your GRUB menu entries and you will be prompted for a password when you try to boot one of those entries.

If you choose to accept it you can accomplish this mission in eleven easy steps:

  1. At the terminal type in grub
  2. Once you get a grub prompt you need to type in the command md5crypt
  3. Type in the password you would like to use for your GRUB bootloader
  4. Md5crypt will generate an encrypted string/hash for you
  5. Copy this string to the clipboard
  6. Quit the GRUB program
  7. Do a change directory into /boot/grub
  8. Open up with sudo (using gedit or favorite text editor) menu.lst
  9. For each GRUB entry you want to protect go under the initrd line and add the following:
  10. passwd — md5 (add one space and add the hash that was generated my md5crypt)
  11. For Windows entries I have had success adding the passwd — md5 + the hash line to the bottom of the Windows GRUB entry.

That is all you need to do. Once you reboot you will be prompted for a password. I should add that password protecting your GRUB bootloader is only a speed bump to someone with a little hacking skills. In Linux, all you need to do to get around a password protected GRUB is to use a live cd when booting the computer. Once you boot into the live cd you can do a chroot into any Linux installation on the hard disk. The chroot makes you root on that install. Once you have used chroot, from the terminal you just have to do a passwd + username to change the password of any user (including root). With root permissions on the box you can also go into the menu.lst file and remove the password checking features of GRUB.

Hacking Windows is just as easy. You can use a distribution like SystemRescueCD to boot the computer and reset the admin password on the Windows install by using a program called ntpass. I just used SystemRescueCD 1.1.0 and they state on their site that ntpass will even reset a Vista admin password. So basically what I am trying to say is that with the exception of encryption programs, like Ubuntu’s package ecryptfs-utils in Intrepid, any data you have on the box is insecure if other people have some skills and physical access to it. However, password protecting the GRUB does manage to block unsophisticated users from booting the system so it is of some value in my book.

3 Responses to “Password Protect Your GRUB Bootloader”

  1. cha says:

    “passwd — md5 (add one space and add the hash that was generated my md5crypt)”

    How has this to look like?
    passwd 123TheMd5Hash123 md5 ?
    or
    passwd — 123theMd5Hash123 ?

  2. Gonzalo Porcel says:

    Well, you can also password protect the bios to make it much harder to boot from a live CD. This will not solve your problem, but it will solve most of the drive-by-hacking that takes place as resetting the BIOS implies opening the case, changing jumpers on a motherboard, etc all in plain view and thus much less likely.

  3. TB says:

    You will never be able to completely stop anyone with physical access to your box from breaking into it.

Leave a Reply