CRYPTCOFFEE

Misc - Research - Team - Contact 

Last Update: Sep 28, 2015


                  -----[ GRUB2 Password Tips ]-----

This document is intended to be a quick note about securing GRUB boot loader
configuration with a passphrase.

First of all you have to generate a strong key. This can be done through:

# grub-mkpasswd-pbkdf2


The utility uses pbkdf2-hmac-sha512 to protect your passphrase against
brute-force attacks.

You can adjust the iteration count in order to improve the strength of the key
derivation process with the -c option. The default value is 10000.

# grub-mkpasswd-pbkdf2 -c1000000


Then you have to set a superuser in your GRUB configuration file. To preserve
changes form future updates edit the /etc/grub.d/40_custom file.
Add these lines:

 ----[ /etc/grub.d/40_custom ]-----
|
|  set superusers="py"							      
|  password_pbkdf2 py grub.pbkdf2.sha512.1000000.11BD0653432FE3A7E2E3B00E... 
|
 --------------------------------------------------


If you want the password to prevent access to the GRUB command console only,
you can use the --unrestricted option. Modify the script in /etc/grub.d/10_linux
adding after:

 ----[ /etc/grub.d/10_linux ]-----
|
|  CLASS="--class gnu-linux --class gnu --class os"
|
|  if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then
|    OS=Linux
|  else
|    OS="${GRUB_DISTRIBUTOR} Linux"
|    CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr 'A-Z' 'a-z' | cut -d' ' 
|    -f1|LC_ALL=C sed 's,[^[:alnum:]_],_,g') ${CLASS}"
|  fi
|
 --------------------------------------------------


The line:

 ----[ /etc/grub.d/10_linux ]-----
|
|  CLASS="--unrestricted ${CLASS}"
|  
 --------------------------------------------------


Now just run:

# grub-mkconfig -o /boot/grub/grub.cfg


This will set the unrestricted option to all the GRUB menu entry.

Alternatively you can make a "sporca" - a dirty trick ;) - by editing the
generated /boot/grub/grub.cfg after having run grub-mkconfig.

Add the option --unrestricted to every menuentry you want, like this:


 ----[ /boot/grub/grub.cfg ]-----
|
|  menuentry 'Arch Linux' --unrestricted --class arch --class gnu-linux 
|  --class gnu --class os $menuentry_id_option 
|  'gnulinux-simple-2e0270af-9ced-4c4f-b728-bf7199f2c5a1' {
|
 --------------------------------------------------


Note that /boot/grub/grub.cfg will be overwritten if you run grub-mkconfig
again.



----------
[1]  ArchLinux wiki
Creative Commons License

crypt.coffee website by cryptcoffee is licensed under a
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.