Introduction to encryption of grub boot program in Linux

1. What is grub encryption

As mentioned in the previous article, when the system is booting, there is a 5-second countdown time to facilitate you to enter the grub interface.

As shown in the following figure:

At this time, we press the Enter key to enter the grub interface.

As shown in the following figure:

Just below the selection box you can see a few lines of prompts:

# Use the ↑ and ↓ keys to highlight an option and press Enter to confirm to boot the selected operating system.
Use the ↑ and ↓ keys to select which entry is highlighted.
Press enter to boot the selected OS,

# Press e to edit the command before starting,
'e' to edit the connands before booting,

# Press a to modify kernel parameters before booting.
'a' to nodify the kernel argunents before booting, 

# Press the c key to switch command lines (press the esc key to return).
or 'c' for a connand-1 ine.

You can see the prompt and press e key to edit the boot option content in the grub configuration file.

Press the e key, the result is as follows:

Tip: Press the e key again to modify the content directly.

As for grub encryption, when it is in the state shown in the second picture above, you need to enter the password we set first before you can press e key to edit the system startup parameters. In other words, set a password for grub to avoid being able to directly enter grub and edit the system startup parameters as above.

2. grub encryption steps

1) Run the grub-md5-crypt command to generate an md5 password.

Execute the command: [root@localhost ~]# grub-md5-crypt

2) Set a password.

Enter your password twice:

Pas sword:
Retype pas sword:

Generate MD5 encrypted password string: $1$Y84LB1$8tMY2PibScmu0Cc8z8U351

This will encrypt the password you entered with MD5, and use this encrypted string to encrypt the grub configuration file.

3) Modify the grub configuration file.

The password option must be added after timeout attribute and before splashimage attribute. It must be in this order. It will not take effect if it is placed in other positions.

As shown below:

[root@localhost ~]# vim /boot/grub/grub.conf

# Content default=0
timeout=5

# The password option is placed in the overall settings.
password --md5 $1$Y84LB1 $8tMY2PibScmu0Cc8z8U35/

splashimage=(hd 0,0)/grub/splash.xpm.gz

4) Reboot the system.

After restarting the system, we found that when we entered the grub interface, the prompt below showed that the original e key had become p key.

There is no response when we press the e key again. Pressing the p key will ask you to enter the password. You cannot edit the grub configuration file without entering the password.

As shown in the following figure:

After entering, press Enter to enter the editable grub interface, and the e key prompt appears again. As shown below:

Notice:

When you are in the first picture in the fourth step, even if you don’t know the password, just press the Enter key and the system can be started directly. So grub encryption encrypts the compilation of the grub configuration file, not the system startup.

The above encryption steps are to encrypt the entire grub menu. After the entire encryption, if you want to enter the grub editing interface, you must enter the correct password. At the same time, it does not affect the normal startup of the system.

There is also encryption for a single boot menu, but the grub editing mode cannot be locked. You can still press e key to enter the editing mode. And after entering the edit mode, you can delete the password field, which is not very good, so I won’t explain it.

3. Lock attribute of grub encryption

If I want to start the CentOS system, I need to encrypt grub as a whole and enter the correct grub encryption password when the system starts in order to start the system normally. So what should we do?

It's very simple. The method is as follows: In the grub 's /boot/grub/grub.conf configuration file, add lock in title field to indicate that it is locked. If you do not enter the correct grub password, the system cannot be started.

As shown in the following figure:

Notice:

Do not add the lock attribute. If you add lock attribute to the grub configuration file, you will not be able to enter the system directly when you press Enter without entering a password. An error will be reported, as shown below:

It prompts error 32. Press any key to continue and it will come back.

Reasons why you must not add lock :

When the system starts, it enters the grub boot process. At this time, the system has not yet started up and the network card has not yet been loaded and taken effect, so the remote terminal cannot connect to the server. At this time, you can only use the keyboard for local input. But now our servers are generally placed in computer rooms or remote locations, which will be very inconvenient for you. Therefore, you must not use lock to lock the grub configuration file.

This is the end of this article about the encryption of the grub boot program in Linux. For more relevant content about grub boot encryption in Linux, please search for previous articles on 123WORDPRESS.COM or continue to browse the related articles below. I hope you will support 123WORDPRESS.COM in the future!