securitycentosredhatgrubgrub2

grub2-mkpasswd-pbkdf2 - can it accept standard input?


On CentOS 6 we currently encrypt the grub password using the password --md5 option and we are able to script this into our standard server build.

We are busy migrating to CentOS 7 and it appears that the password --md5 option has been removed in grub2 and replaced with grub2-mkpasswd-pbkdf2.

Although I welcome the improved security, I can't find a way to pass a password to the grub2-mkpasswd-pbkdf2 command via standard input, and it appears that grub2 has removed support for md5, the combination of which breaks our script building automation.

Can anyone possibly help with:

  1. A way to pass a password to grub2-mkpasswd-pbkdf2 via standard input?; or
  2. An alternative pbkdf2 generation utility to grub2-mkpasswd-pbkdf2 that accepts standard input?; or
  3. A mechanism for using --md5 with grub2?

Solution

  • I recently wrote a tool to do just this -- namely, to be able to more easily generate GRUB2 hashes non-interactively, and to be able to do so on RHEL6. It's on GitHub.

    In the readme you'll also see explanation of how to use the standard grub2-mkpasswd-pbkdf2 to generate hashes non-interactively by piping the password twice with newline.