Securing a computer goes beyond more than just using strong passwords. You should consider what happens if an unauthorized person gains physical access to your computer. If the only security feature protecting your data from an unauthorized person is a user account password, then you have not taken enough steps to protect your computer and your data. This article presents all the steps you should take to enhance the physical security profile of your desktop/laptop computer running a Linux distribution.


  1. Set a UEFI/BIOS Password – By default PC vendors generally configure their computers to boot from the hard disk and, failing that, to boot from removable media. You can change this boot order from the UEFI/BIOS setup utility. Which means anybody with physical access to the computer can do it too, not just you. To prevent unauthorized persons from accessing the UEFI/BIOS setup utility, you should enable the UEFI/BIOS password. Enabling the UEFI/BIOS password may also be used to prevent the system from booting.

    Let me illustrate with this scenario. Let’s say some bad guy gains physical access to your computer and that computer was configured to boot from the hard disk and the UEFI/BIOS password was not enabled. To dispense with the headache of having to guess your username and/or password, Mr. Bad Guy could access the UEFI/BIOS and change the boot order so that the computer boots from removable media. Now he can pop in a live distro, boot the computer, mount the drive and … imagine how the story ends.

  2. Password-protect the boot loader – Password-protecting GRUB (GRand Unified Bootloader) 2, the boot loader/boot manager you will most likely be using on a Linux distribution is not commonly done, but it’s possible. Setting a bootloader password ensures that no one with unauthorized physical access to your computer will be able to gain access to single user mode. It also locks access to GRUB’s console. The command to accomplish that on a running system is grub-mkpasswd-pbkdf2. See this link for an example of how to password-protect GRUB on a running system.
  3. Encrypt the hard drive – See this article for why you should encrypt your computer’s disk. It mainly gives an example of how Fedora, a Linux distribution, implements disk encryption in its installer. If you’ve not heard the news yet, Red Hat, the company that supports the development of Fedora, was recently acquired by IBM.
  4. Never use auto-login – When setting a user account password, most Linux distributions will warn you when the password is weak (especially for root). Concerning passwords, try as much as possible to adhere to the following:
    • Always choose strong passwords, minimum of eight characters.
    • Do not base the password on the username. If you are using a distribution that uses the traditional root account system, do not set the root password to be the same as the regular account password.
    • Never enable the automatic login feature. Many Linux distributions have this feature. Do not use it. If you are just introducing your kid or spouse to Linux, do not enable this feature for them. It is a bad security practice. Teach them the value of setting a password from the beginning.
  5. Implement Password Aging – Setting a password for expire, password-aging, is rarely enabled on the desktop, but it’s a feature that’s available in Linux. The graphical user management program on most Linux distributions will allow you to set your passwords to expire at a certain date. An expiration time of six months is the recommended.

If you implement all of the aforementioned tips on your Linux computers, give yourself a five star rating of paranoid. You are ultra secure (four star rating) if you implement steps 2 to 5, and secure (three star rating) if you implement only steps 3 to 5. Consider your security posture weak (two star rating) if you only implement steps 4 and 5 (user account password and password aging). You have a one star rating if you do not implement password aging. Smack yourself if you enable the automatic login feature.

Related Post:  Rate Limiting with NGINX


Share on facebook
Share on twitter
Share on pinterest
Share on linkedin

Hola! Did you notice that no longer runs network ads?  Yep, no more ads from the usual suspects that track you across the Internet.  But since  I still need to pay to keep the site running, feel free to make a small donation by PayPal.

Subscribe for updates. Trust me, no spam!

Mailchimp Signup Form

Sponsored links

1. Attend Algorithm Conference, a top AI and ML event for 2020.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.

Leave a Reply

Your email address will not be published. Required fields are marked *

Get the latest

On social media
Via my newsletter
Mailchimp Signup Form

Partner links

1. Attend Algorithm Conference, a top AI and ML event for 2021.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.
Hacking, pentesting distributions

Linux Distributions for Hacking

Experts use these Linux distributions for hacking, digital forensics, and pentesting.


The authors of these books are confirmed to speak during

Algorithm Conference

T-minus AI

Author was the first chairperson of AI for the U.S. Air Force.

The case for killer robots

Author is the Director of the Center for Natural and Artificial Intelligence.

Why greatness cannot be planned

Author works on AI safety as a Senior Research Scientist at Uber AI Labs.

Anastasia Marchenkova

An invitation from Anastasia Marchenkova

Hya, after stints as a quantum researcher at Georgia Tech Quantum Optics & Quantum Telecom Lab, and the University of Maryland Joint Quantum Institute, I’m now working on superconducting qubit quantum processors at Bleximo. I’ll be speaking during Algorithm Conference in Austin, Texas, July 16 – 18, 2020. Meet me there and let’s chat about progress and hype in quantum computing.