How do I secure GRUB with a SHA-2 hashed password in RHEL6?

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux 6
  • grub-0.97-70.el6 or higher

Issue

  • How do I set or reset a GRUB password?
  • How do I lock down GRUB to prevent people modifying the kernel boot parameters?
  • For years the grub-md5-crypt program has been available to generate MD5-hashed passwords for locking down GRUB, but now that MD5 is widely-considered broken (and is of course not FIPS-approved), how can SHA-256 or SHA-512 passwords be used with GRUB?

Resolution

Note: On systems booting in UEFI mode, grub only supports MD5 passwords. In order to use SHA password, you must configure the system to boot in legacy BIOS mode. Or upgrade to RHEL 7, where grub2 supports SHA passwords in UEFI mode.)

See also: How do I secure GRUB with a plain-text or MD5 hashed password?

  • Starting with grub-0.97-70.el6 (the version of the grub rpm released with RHEL 6.1), the grub-crypt command was included to generate GRUB-ready password hashes using SHA-256 or SHA-512

    $ grub-crypt --help
Usage: grub-crypt [OPTION]...
Encrypt a password.

  -h, --help              Print this message and exit
  -v, --version           Print the version information and exit
  --md5                   Use MD5 to encrypt the password
  --sha-256               Use SHA-256 to encrypt the password
  --sha-512               Use SHA-512 to encrypt the password (default)

Steps to Secure GRUB

  1. Run grub-crypt and save the hash generated by it to /boot/grub/grub.conf

    • Use mouse to copy-paste
    • Use shell redirection (e.g., grub-crypt >>/boot/grub/grub.conf)
    • Call grub-crypt from within vim (by typing :r!grub-crypt)

  2. Add a new "password --encrypted HASH-GOES-HERE" line prior to the first title stanza, e.g.:

    default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
password --encrypted $6$6h8KRVhOQ72qtffL$oYy80fap1gRdm5iyL7d14J5pnBRgKrKQDYZLTZ7avw81CfzgWagrtxIXlsGD9c0/NEH98YS40i8PAAWZ579jB/
title Red Hat Enterprise Linux ...

  3. As a final best-practice step, ensure permissions on grub.conf do not allow anyone but root to read it

    # chmod 600 /boot/grub/grub.conf
# ls -l /boot/grub/grub.conf
-rw-------. 1 root root 979 Sep 25 23:38 /boot/grub/grub.conf

 

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.