25.6. Protecting GRUB 2 with a Password

GRUB 2 offers two types of password protection:
  • Password is required for modifying menu entries but not for booting existing menu entries;
  • Password is required for modifying menu entries and for booting one, several, or all menu entries.

Configuring GRUB 2 to Require a Password only for Modifying Entries

To require password authentication for modifying GRUB 2 entries, follow these steps:
  1. Run the grub2-setpassword command as root:
    ~]# grub2-setpassword
  2. Enter and confirm the password:
    Enter password:
    Confirm password:
Following this procedure creates a /boot/grub2/user.cfg file that contains the hash of the password. The user for this password, root, is defined in the /boot/grub2/grub.cfg file. With this change, modifying a boot entry during booting requires you to specify the root user name and your password.

Configuring GRUB 2 to Require a Password for Modifying and Booting Entries

Setting a password using the grub2-setpassword prevents menu entries from unauthorized modification but not from unauthorized booting. To also require password for booting an entry, follow these steps after setting the password with grub2-setpassword:

Warning

If you forget your GRUB 2 password, you will not be able to boot the entries you reconfigure in the following procedure.
  1. Open the /boot/grub2/grub.cfg file.
  2. Find the boot entry that you want to protect with password by searching for lines beginning with menuentry.
  3. Delete the --unrestricted parameter from the menu entry block, for example:
    [file contents truncated]
    menuentry 'Red Hat Enterprise Linux Server (3.10.0-327.18.2.rt56.223.el7_2.x86_64) 7.2 (Maipo)' --class red --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-327.el7.x86_64-advanced-c109825c-de2f-4340-a0ef-4f47d19fe4bf' {
            load_video
            set gfxpayload=keep
    [file contents truncated]
  4. Save and close the file.
Now even booting the entry requires entering the root user name and password.

Note

Manual changes to the /boot/grub2/grub.cfg persist when new kernel versions are installed, but are lost when re-generating grub.cfg using the grub2-mkconfig command. Therefore, to retain password protection, use the above procedure after every use of grub2-mkconfig.

Note

If you delete the --unrestricted parameter from every menu entry in the /boot/grub2/grub.cfg file, all newly installed kernels will have menu entry created without --unrestricted and hence automatically inherit the password protection.

Passwords Set Before Updating to Red Hat Enterprise Linux 7.2

The grub2-setpassword tool was added in Red Hat Enterprise Linux 7.2 and is now the standard method of setting GRUB 2 passwords. This is in contrast to previous versions of Red Hat Enterprise Linux, where boot entries needed to be manually specified in the /etc/grub.d/40_custom file, and super users - in the /etc/grub.d/01_users file.

Additional GRUB 2 Users

Booting entries without the --unrestricted parameter requires the root password. However, GRUB 2 also enables creating additional non-root users that can boot such entries without providing a password. Modifying the entries still requires the root password. For information on creating such users, see the GRUB 2 Manual.