How to Reset GRUB Password in Linux

This tutorial explains how to set, reset, break and remove GRUB password in RedHat and CentOS Linux step by step with practical examples. Learn how to set GRUB password in Linux to secure boot loader and vice versa how to break or remove GRUB password in case it is forgotten.

GRUB is the boot loader program in Linux. It includes several options for troubleshooting. These options are available at boot loader screen and can be accessed by pressing e key.

grub options

By default, Linux does not authenticate this access. Anyone, who can access boot loader screen, can access these options too.

grub options accessed

A depraved user can use these options to gain unauthorized access in system. For example, he can accesses shell prompt with root privilege by booting system in emergency mode.

To keep the system safe and secure, GRUB options should be accessible only by authorized users.

Setting GRUB password

Main configuration file of GRUB is grub.cfg. It is available in /boot/grub2 directory. It includes several configuration directives, values and parameters.

Usually a user only needs to add, remove or update a particular directive or section in this file. For example, in this tutorial we want to add directives which provide authentication functionality at boot loader screen to secure troubleshooting options. Editing main configuration file for these kinds of small changes is not recommended. A little mistake in this file can make system completely inaccessible.

Linux provides a better way to configure directives in this file. It breaks configuration in several sections and make them available as separate files in /etc/grub.d/ directory. These files can be edited individually to add, update or remove specific functionality in particular section. Later a new configuration file can be built from these files. Once new configuration file is built, existing file can be replaced with new file.

Rather than editing directly, we will use recommended method to add authentication functionality in configuration file. The file 40_custom is used to manage authentication functionality.

Before we add this functionality in GRUB, let’s take the backup of existing grub.cfg file.

#mkdir backup
#cp /boot/grub2/grub.cfg backup/
#ls backup/

First command makes a directory. Second command copies main configuration file in this directory and third command verifies that file has been copied successfully.

Following figure shows this operation step by step.

backup grub.cfg

Now open file 40_custom for editing

#vim /etc/grub.d/40_custom

vim /etc/grub.d/40_custom

Following figure shows default entries in this file

default 40_custom file

Following directives are used to set a user name and password to authenticate the access of GRUB options at boot loader screen

set superuser=“[User Name]”
password [User name] [Password]

For example to set username “sanjay” and password “123456”, insert following directives in file.

set superuser=“sanjay”
password sanjay 123456

Make sure you insert directives just below the existing configuration as shown in following figure

40_custom file updated

Storing password as text is not a secure way to manage credentials. Luckily GRUB not only supports encrypted password but also provides a command to encrypt the text password.

To use encrypted password, open another terminal and run following command

#grub2-mkpasswd-pbkd2

Enter and Reenter the desired password.

grub2-mkpasswd

Copy the hashed password

copy hashed password

Now paste this hashed password in 40_custom file at place of text password.

paste hashed password

Directive password_pbkdf2 is used for hashed password. To use hashed password, we have to change directive also.

At a time, we can use only one type of password. So either use text password or use password hash with respective directive.

password [user name] [text string]
Or
password_pbkdf2 [user name] [hashed string]

Use any one directive to set password with username and save the file.

supported password type

Once both directives are added in 40_custom file, run following commands

#grub2-mkconfig –o /root/grub.cfg
#grep sanjay /root/grub.cfg
#cp /root/grub.cfg /boot/grub2/
#reboot
  • First command creates new main configuration file grub.cfg in /root/ directory from all configuration files available at /etc/grub.d/ directory.
  • Second command verifies that changes made by us are merged in new configuration file.
  • Third command replaces the existing grub.cfg file with new configuration file.
  • Last command reboots the system.

grub2-mkconfig -o command

grep command is used to search a text string or pattern in given file. To learn how to use grep command in Linux sees this tutorial.
Learn how to use grep command in Linux step by step

After reboot, on boot loader screen, press e key to access the grub options

grub options secured

This time, an authentication is required to access the grub options. Authenticate yourself with the username and password which you set in 40_custom file.

access grub options

We have successfully configured GRUB password to protect the troubleshooting options available at boot loader screen. Now only an authorized person can access these options. But what will happen if authorized person forget the password?

Removing/Resetting/Breaking GRUB password

If you know the root password, use following steps to remove or reset the GRUB password.

  • Do not press any key at boot loader screen to interrupt the booting process. Let the system boot normally.
  • Login in with root account and open the file /etc/grub.d/40_custom.
  • To remove the password, remove the set superusers and password or password_pbkdf2 directives and save the file.
  • To reset or change the password, update the password or password_pbkdf2 directives and save the file.
  • Once necessary changes are made in file 40_custom, create a new configuration file.
  • Replace existing file grub.cfg with new grub.cfg file.
  • Restart the system and access the grub options from boot loader screen to verify the changes.

If you do not know the root password, use the following steps to remove the GRUB password.

Boot system with installation disk and on first screen select Troubleshooting option.

To remove GRUB password from Redhat Linux, use RHEL installation disk. To remove GRUB password from CentOS Linux, use CentOS installation disk.

troubleshooting optiions

From Troubleshooting options select Rescue a CentOS/RedHat Linux system option

rescue system option

Now select the first option which mounts the installed Linux in /mnt/sysimage directory.

mount option

Now run following commands

#chroot /mnt/sysimage
#ls

chroot command

  • First command creates necessary root environment to work with installed Linux. After this command, whatever command we execute, will execute as it executes from installed Linux under the root privilege.
  • Second command simply verifies that all directories are mounted properly.

Now open the file etc/grub.d/40_custom and remove the directives which set the authentication at boot loader screen.

remove authentication directive

Once authentication directives are removed, save the file

grub password removed

Now run following commands

#grub2-mkconfig –o tmp/grub-cfg
#mv tmp/grub.cfg boot/grub2/
#exit
#reboot
  • First command creates a new configuration file in tmp directory.
  • Second command replaces existing configuration file with new configuration file.
  • Third command closes the temporary root environment and brings back the rescue disk shell prompt.
  • Fourth command reboots the system.

grub password removed restart

While rebooting the system, remove the installation disk.

After reboot, access troubleshooting options from boot loader screen to verify that grub password has been removed.

verify grub password removed

That’s all for this tutorial. In next tutorial we will learn how to use grub options to reset the root password.

ComputerNetworkingNotes RHCE 7 Study Guide How to Reset GRUB Password in Linux