Skip to Content

How to Lock the Bootloader on PC for Better Security

By: Author Alex Lim

Posted on  - Last updated:

Categories Cybersecurity

Learn why locking the bootloader on your PC can prevent unauthorized access to your system and data, and how to do it with a simple command.

The bootloader is a program that runs before the operating system starts, and allows you to choose which operating system to boot. It also performs some basic checks and initializations to prepare the hardware for the OS. However, the bootloader can also be a security risk, as it can be modified or replaced by malicious software that can compromise your system and data. In this article, we will explain why you might want to lock the bootloader on your PC, and how to do it with a simple command.

What is the Bootloader and Why is it Important?

The bootloader is the first piece of software that runs when you turn on your PC. It is stored in a special memory chip called the BIOS (Basic Input/Output System) or the UEFI (Unified Extensible Firmware Interface), depending on your PC model. The bootloader’s main function is to load the operating system from the hard drive or another storage device, such as a USB flash drive or a CD-ROM. The bootloader can also display a menu that lets you choose which operating system to boot, or access some advanced options, such as safe mode or recovery mode.

The bootloader is important because it is the bridge between the hardware and the software of your PC. It ensures that the operating system can communicate with the hardware components, such as the CPU, the RAM, the keyboard, the mouse, the display, and so on. Without the bootloader, the operating system would not be able to start or function properly.

What are the Risks of Having an Unlocked Bootloader?

Having an unlocked bootloader means that anyone can modify or replace the bootloader with a custom one, without needing a password or a security key. This can be useful for some purposes, such as installing a different operating system, or troubleshooting some issues. However, it can also pose some serious security risks, such as:

  • Malware infection: A malicious program can overwrite the bootloader with a compromised one, that can load a hidden malware payload before the operating system starts. This can allow the malware to bypass the security features of the operating system, such as antivirus software, firewall, encryption, and so on. The malware can then steal, delete, or encrypt your data, spy on your online activity, or perform other harmful actions.
  • Data loss: A faulty or corrupted bootloader can prevent the operating system from booting, or cause errors and crashes during the boot process. This can result in data loss or corruption, or make your PC unusable. You might need to reinstall the operating system or restore your data from a backup, which can be time-consuming and frustrating.
  • Unauthorized access: An attacker can use a physical access to your PC to boot from a different device, such as a USB flash drive or a CD-ROM, that contains a malicious or unauthorized operating system. This can allow the attacker to bypass the login screen or the encryption of your hard drive, and access your data or change your settings. The attacker can also install a backdoor or a keylogger on your PC, that can give them remote access or record your keystrokes.

How to Lock the Bootloader on Your PC?

Locking the bootloader on your PC can prevent the above-mentioned risks, and enhance the security of your system and data. Locking the bootloader means that you need a password or a security key to modify or replace the bootloader, or to boot from a different device. This can prevent unauthorized or malicious changes to the bootloader, and ensure that only the trusted operating system can boot.

The exact steps to lock the bootloader on your PC may vary depending on your PC model, your BIOS or UEFI version, and your operating system. However, the general procedure is as follows:

  1. Back up your data. Before locking the bootloader, it is recommended to back up your important data to an external storage device, such as a USB flash drive or a cloud service. This can help you recover your data in case something goes wrong during the process, or if you need to unlock the bootloader again in the future.
  2. Enable Secure Boot. Secure Boot is a feature of the UEFI that verifies the digital signature of the bootloader and the operating system, and prevents them from being modified or replaced by unauthorized or malicious software. To enable Secure Boot, you need to access the UEFI settings of your PC, which can be done by pressing a specific key (such as F2, F10, F12, or Del) during the boot process, or by using a Windows tool (such as msconfig or Settings). Once you are in the UEFI settings, look for the Secure Boot option, and enable it. You may also need to disable the Legacy Boot or the Compatibility Support Module (CSM) option, which are used to support older BIOS-based bootloaders. Save the changes and exit the UEFI settings.
  3. Lock the bootloader. To lock the bootloader, you need to use a command-line tool called Fastboot, which is part of the Android SDK Platform-Tools. You can download the Platform-Tools from the official Android website, and extract the zip file to a folder on your PC. Then, you need to connect your PC to your Android device using a USB cable, and enable the USB debugging mode on your Android device. To do this, go to Settings > About Phone, and tap the Build Number seven times to enable the Developer Options. Then, go to Settings > Developer Options, and enable the USB debugging option. You may also need to enable the OEM unlocking option, which allows you to unlock the bootloader. After that, open a command prompt window on your PC, and navigate to the folder where you extracted the Platform-Tools. Then, type the following command:fastboot flashing lock

This command will lock the bootloader on your Android device, and erase all the data on it. You may need to confirm the action on your device’s screen. Once the process is done, you can reboot your device, and set it up again.

Frequently Asked Questions (FAQs)

Question: What are the benefits of locking the bootloader on my PC?

Answer: Locking the bootloader on your PC can improve the security of your system and data, by preventing unauthorized or malicious changes to the bootloader or the operating system, and by verifying the digital signature of the software that runs on your PC.

Question: What are the drawbacks of locking the bootloader on my PC?

Answer: Locking the bootloader on your PC can limit your options to customize or troubleshoot your system, such as installing a different operating system, or accessing some advanced options. It can also make it harder to recover your system or data in case of a failure or a corruption.

Question: How can I unlock the bootloader on my PC?

Answer: To unlock the bootloader on your PC, you need to follow the same steps as locking the bootloader, but use the following command instead:

fastboot flashing unlock

This command will unlock the bootloader on your Android device, and erase all the data on it. You may need to confirm the action on your device’s screen. Once the process is done, you can reboot your device, and set it up again.

Summary

The bootloader is a program that runs before the operating system starts, and allows you to choose which operating system to boot. However, the bootloader can also be a security risk, as it can be modified or replaced by malicious software that can compromise your system and data. To prevent this, you can lock the bootloader on your PC, which means that you need a password or a security key to modify or replace the bootloader, or to boot from a different device. To lock the bootloader on your PC, you need to enable Secure Boot in the UEFI settings, and use the Fastboot tool to lock the bootloader with a simple command. Locking the bootloader can improve the security of your system and data, but it can also limit your options to customize or troubleshoot your system.

Disclaimer: The information in this article is for educational purposes only, and does not constitute professional advice. The author and the publisher are not liable for any damages or losses that may result from following the instructions or using the tools in this article. Always back up your data before making any changes to your system, and consult the official documentation or support of your PC model, your BIOS or UEFI version, and your operating system for more details and guidance.