How to password-protect GRUB

Password-protecting the bootloader is one method you may employ to enhance the physical security profile of your computer. GRUB, the GRand Unified Bootloader, is the default bootloader on virtually all Linux distributions, but on a significant number, the installer does not have support for setting a GRUB password. This article presents the step involved in password-enabling GRUB – on a running system.

Before we go through the steps involved in setting a password for GRUB, it’s best to understand why this is even necessary. Principally, we password-enable GRUB to:

  1. Prevent Access To Single User Mode — If an attacker can boot into single user mode, he becomes the root user.
  2. Prevent Access To the GRUB Console — If the machine uses GRUB as its boot loader, an attacker can use the edit the command’s interface to change its configuration or to gather information using the cat command.

If your distribution’s installer has support for setting a GRUB password, the process involved should be similar to the one shown in the image below, which was taken from a similar Fedora 13 tutorial. Just check “Use a boot loader password” and the installer will prompt for a password.

GRUB password
Specifying boot loader password

If your distribution’s installer does not have support for setting a password for GRUB, you can still do it after installation. The process involved in this exercise is the same across distributions. However, for this article, an installation of Fedora 13 was used. Here are the steps involved:

  1. From a shell terminal, run the grub-md5-crypt command. The password that’s requested will be the one that’ll be used to protect GRUB. It should not be the same as that of any user account on the system, certainly not the same as the root password. Note the md5 hash generated. You will need it in the next step.
    GRUB hash
    Generate the md5 hash for password-protecting GRUB
  2. Edit /etc/grub.conf as shown in the image. Just add another line below the “timeout” line and type in password –md5 (md5 hash generated from step 1) as shown in the image. Save the file. Reboot and try to access other features of GRUB by pressing the “p” key. Did it work?
    Edit grub.conf

Complete this simple process, and you would have taken a small but significant towards enhancing the physical security profile of your computer.

Related Posts

Ubuntu 12.10 installation and disk partitioning guide Alternate titles: How to create partitions in Ubuntu 12.10 manually; Manual disk partitioning guide for Ubuntu 12.10. Ubiquity, the graphical insta...
With Btrfs the default on openSUSE, when will other distros follow suit One change that was implemented in openSUSE 13.2 makes Btrfs the default file system for the root (main) partition. That makes openSUSE the first desk...
StackFolder and KLook integration Last November, I published an article titled 2 cool reasons to use the K Desktop Environment. The reasons I cited in that article, are two application...
How to install Sabayon 5.3 on a btrfs filesystem Thanks to its use of Anaconda, the Fedora installer, Sabayon 5.3, the latest release of the Gentoo-based distribution, is one of the first Linux distr...
How to compile and install Takeoff Launcher on Linux Mint 12 KDE There are several menu styles to choose from in the K Desktop Environment, but my favorite is the Takeoff Launcher, which is why I consider it one of ...
Qt Widgets and the Third Dimension Some people have been asking how to embed Qt painted content (and especially Qt widgets) in a 3d scene. As I’ve been wanting to do this ever since we ...

We Recommend These Vendors and Free Offers

ContainerizeThis 2016 is a free, 2-day conference for all things containers and big data. Featured, will be presentations and free, hands-on workshops. Learn more at

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).

Want to become an expert ethical hacker and penetration tester? Request your free video training course of Online Penetration Testing and Ethical Hacking

Whether you're new to Linux or are a Linux guru, you can learn a lot more about the Linux kernel by requesting your free ebook of Linux Kernel In A Nutshell.


  1. I thought you had to add the ‘lock’ option to each entry in the grub?

  2. Pingback: Give GRUB a password « 0ddn1x: tricks with *nix

  3. Pingback: Links 1/10/2010: Fedora Hiring, Ubuntu Starts Mobile Music Streaming, WebP Comes From Google | Techrights

  4. Does this password-protect the computer from booting at all? Can we prevent individual GRUB entries from being booted without the PW, but let others boot without a PW? The practical and real-world uses are a bit light on details here…

    • It does not. The reasons for password-enabling the GRUB (or any other bootloader’s) console are given at the top of the article. To prevent the computer from being booted by unauthorized persons, you will have to configure full disk encryption. Full disk encryption and password-enabling the GRUB console are just one of several methods you may use to enhance the physical security profile of your computer.

      “Can we prevent individual GRUB entries from being booted without the PW …?” In a dual-boot configuration, yes you can.

  5. Pingback: Using https:// on an Unsecured Wireless Network?

Leave a Comment

Your email address will not be published. Required fields are marked *