一个专业运维
技术分享网站!

Linux系统grub加密方式

一.为grub设置明文密码案例

1>.修改”/boot/grub/grub.conf”配置文件

[root@localhos ~]# cat /boot/grub/grub.conf 
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/mapper/vg_node200-lv_root
#          initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=1

timeout=5

splashimage=(hd0,0)/grub/windows.xpm.gz

password yinzhengjie      #此处我指定密码为"yinzhengjie"

title CentOS 6 (2.6.32-754.el6.x86_64)
    root (hd0,0)
    kernel /vmlinuz-2.6.32-754.el6.x86_64 ro root=/dev/mapper/vg_node200-lv_root nomodeset rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg_node200/
lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=128M rd_LVM_LV=vg_node200/lv_root  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet    
  initrd /initramfs-2.6.32-754.el6.x86_64.img

title CentOS 8 (4.6.32-754.el6.x86_64)
    kernel (hd0,0)/vmlinuz-2.6.32-754.el6.x86_64 ro root=/dev/mapper/vg_node200-lv_root nomodeset rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg_n
ode200/lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=128M rd_LVM_LV=vg_node200/lv_root  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM    
  initrd (hd0,0)/initramfs-2.6.32-754.el6.x86_64.img
[root@yinzhengjie ~]#

2>.重启操作系统(我们发现启动操作系统时没有”a”,”c”,”e”的相关选项,只有一个”p”选项)

[root@localhos ~]# reboot 

Broadcast message from root@yinzhengjie
    (/dev/pts/0) at 22:07 ...

The system is going down for reboot NOW!
[root@localhos ~]#

3>.按字母“p”输入grub.conf中设置的密码

4>.密码输入正确会进入grub管理菜单

 5>.温馨提示

从上面的操作可以为grub设置密码,但如果别人通过U盘启动或者光盘启动进入救援模式这就尴尬了,直接跳过了咱们设置的grub啦!
因此,在生产环境中配置好上述操作后,应该禁用掉指定的USB接口,只留住一个接口给键盘使用即可,可能这个时候有人又会说
直接来一个拓展坞工具不就得了,一个USB接口可用扩展成多个可用了,所以有时候你还不得不禁用所有USB接口。
但玩过计算机的都知道,尽管你禁用了所有USB接口依旧还不安全,只要找一个IDC工作人员把服务器查查看,适当的换一些硬件,
我们就会发现没有绝对的安全,只有攻防的对垒。

 

二.为grub设置密文密码案例

1>.生成grub口令

[root@localhos ~]# grub-md5-crypt
Password: 
Retype password: 
$1$ejtsg0$qylYnYONrLdC56LXHIJ4M1
[root@localhos ~]#

2>.使用md5加密不推荐(美国国家安全局和美国国家标准技术局一起设计的一个用于电子签名的非常核心的算法,但MD5和SHA-1加密算法被我国密码学家王小云破解)

[root@localhos ~]# cat /boot/grub/grub.conf 
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/mapper/vg_node200-lv_root
#          initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=1

timeout=5

splashimage=(hd0,0)/grub/windows.xpm.gz

password --md5 $1$ejtsg0$qylYnYONrLdC56LXHIJ4M1

title CentOS 6 (2.6.32-754.el6.x86_64)
    root (hd0,0)
    kernel /vmlinuz-2.6.32-754.el6.x86_64 ro root=/dev/mapper/vg_node200-lv_root nomodeset rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg_node200/
lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=128M rd_LVM_LV=vg_node200/lv_root  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet    
  initrd /initramfs-2.6.32-754.el6.x86_64.img

title CentOS 8 (4.6.32-754.el6.x86_64)
    kernel (hd0,0)/vmlinuz-2.6.32-754.el6.x86_64 ro root=/dev/mapper/vg_node200-lv_root nomodeset rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg_n
ode200/lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=128M rd_LVM_LV=vg_node200/lv_root  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM    
  initrd (hd0,0)/initramfs-2.6.32-754.el6.x86_64.img
[root@localhos ~]#

3>.推荐使用sha512算法进行加密

[root@localhos ~]# grub-crypt 
Password: 
Retype password: 
$6$bNlXV2xei8gteGzA$v4VFuBvn0svHHIbsBFzfdDnHTlUsZgVIXdLHqTRyAd7a9SFHGC4G87D7JNBKj5i3fGsEhS2vCgVbrO0Q34a7E1
[root@localhos ~]#

4>.将sha512算法写入”/boot/grub/grub.conf”配置文件

[root@localhos ~]# cat /boot/grub/grub.conf 
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/mapper/vg_node200-lv_root
#          initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=1

timeout=5

splashimage=(hd0,0)/grub/windows.xpm.gz

password --encrypted $6$bNlXV2xei8gteGzA$v4VFuBvn0svHHIbsBFzfdDnHTlUsZgVIXdLHqTRyAd7a9SFHGC4G87D7JNBKj5i3fGsEhS2vCgVbrO0Q34a7E1

title CentOS 6 (2.6.32-754.el6.x86_64)
    root (hd0,0)
    kernel /vmlinuz-2.6.32-754.el6.x86_64 ro root=/dev/mapper/vg_node200-lv_root nomodeset rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg_node200/
lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=128M rd_LVM_LV=vg_node200/lv_root  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet    
  initrd /initramfs-2.6.32-754.el6.x86_64.img

title CentOS 8 (4.6.32-754.el6.x86_64)
    kernel (hd0,0)/vmlinuz-2.6.32-754.el6.x86_64 ro root=/dev/mapper/vg_node200-lv_root nomodeset rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg_n
ode200/lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=128M rd_LVM_LV=vg_node200/lv_root  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM    
  initrd (hd0,0)/initramfs-2.6.32-754.el6.x86_64.img
[root@localhos ~]#

如何删除密码?

[root @localhost~]#vim /boot/grub/grub.conf 删除password这一行即可清除grub密码

 

 

 

 

 

 

 

 

 

 

历史上的今天
十月
20
    哇哦~~~,历史上的今天没发表过文章哦
赞(6) 打赏
未经允许不得转载:小柳实验室 » Linux系统grub加密方式
分享到: 更多 (0)

评论 抢沙发

评论前必须登录!

 

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏