Grub2: Setting password in version 2.02~beta2-9ubuntu1

Question

I am using ubuntu 14.04 and the Grub version is 2.02~beta2-9ubuntu1. I've been trying this for a long time. I saw this question but couldn’t get it work that way. Anyway I have the solution but am not sure if it is correct or if it has any security risks. Please suggest.

I wanted to configure GRUB such that:-

1. Authentication is required to edit the grub menu or enter rescue mode.
2. Authentication is not required to boot the OS

I followed the Ubuntu Docs and also many other blogs but all are based on GRUB2 versions older than 2.02~beta2-9ubuntu1 so the grub script cannot be edited as suggested in the docs. Following the docs I tried to edit menuentries but each time the issue faced was that: Authentication was needed to boot the OS too.

Answer 1

Taking help from question and the Ubuntu Docs I managed to get what I wanted but please suggest if I am correct, if my configurations are really secure. Mainly that when a new kernel is installed, the GRUB configuration will also have to be edited or not.

1. Create hashed password

grub-mkpasswd-pbkdf2

Give your password and you will recieve the hash.

2. Create GRUB Authentication

In the File /etc/grub.d/40_custom add these entries at the end, where

set superusers="user1" 
password_pbkdf2 user1 GIVE-GRUB-PASSWORD-HASH-HERE
export superusers

replace GIVE-GRUB-PASSWORD-HASH-HERE with the hash of the password received as the output of grub-mkpasswd-pbkdf2 .

3. Apply Authentication to menuentries in the file /etc/grub.d/10_linux

Add --users '' to the following lines such that you have:-

echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} --users '' \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"

and

echo "submenu '$(gettext_printf "Advanced options for %s" "${OS}" | grub_quote)' --users ''  \$menuentry_id_option 'gnulinux-advanced-$boot_device_id' {"

Add --unrestricted to the following line such that you have:-

echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} --unrestricted \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"

4. Update Grub

sudo update-grub

Edit

5. Reboot System

Forgot to add this earlier; you need the reboot the system after that.

sudo reboot