[Bug 392158] Re: passwords are awkward to use with grub-mkconfig

[Nick Bishop]

Workaround (avoiding plain-text passwords in /etc/grub.d)

For those who cannot be bothered with a PPA repository for grub2, and
want to let users set their own bootup passwords and/or have users who
don't want to divulge their bootup password to the system administrator
...

Remembering that the usual bash shell constructs work, one can do something similar to this, within 00_header
-----
password nick $(gpg --decrypt --no-mdc-warning --batch --no-tty --no-use-agent --quiet --passphrase-file /etc/grub.d/pass.txt /home/nick/nick.pwd.gpg)
-----
Repeat for other users authorised to set their own passwords.

Put the attached script in /usr/local/bin for users to set their own
passwords. And you need to generate /etc/grub.d/pass.txt as the
unrotated passphrase (or make alternative arrangements).

Limitations:
1. The passphrase used to drive GPG could be hidden a bit better
2. You will still get a clear-text copy of the users' passwords in /boot/grub/grub.cfg, when you run update-grub, make sure it is generated with permissions -r-------- (600, in favour of root:root).

** Attachment added: "Script for users to set their own boot-time passwords (passphrase changed)"
   https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/392158/+attachment/2585110/+files/SetBootPassword

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/392158

Title:
  passwords are awkward to use with grub-mkconfig

Status in “grub2” package in Ubuntu:
  Triaged

Bug description:
  Binary package hint: grub2

  grub2 does not currently have support for security features, such as
  the "password" and "lock" commands.

  This is required in corporate environments, and would be a regression.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/392158/+subscriptions