In this article, we’ll look at how to protect the Linux GRUB2 bootloader configuration with a password.
Generate a password hash using the grub-mkpasswd-pbkdf tool (available by default on Ubuntu):
$ grub-mkpasswd-pbkdf2
Enter the password and confirmation, then copy the hash (starts with grub.pbkdf2.sha512…).
Edit the grub bootloader config file:
$ sudo nano /etc/grub.d/00_header
Add the following lines at the end of the file:
cat << EOF
set superusers=user_name
password_pbkdf2 user_name password-hash
EOF
Update bootloader configuration:
$ sudo update-grub
Reboot Linux:
$ reboot
Now, when GRUB starts, a prompt will appear in which you need to enter a username and password. Without entering credentials, Linux will not boot.
Since the /etc/grub.d/00_header file contains a password hash, it is recommended to prevent it from being read and modified by anyone except the root user:
$ sudo chmod 711 /etc/grub.d/00_header
In this mode, the GRUB password will be requested each time Linux boots. If you only want to protect the bootloader configuration from changes, edit the /etc/grub.d/10_linux file:
$ sudo nano /etc/grub.d/10_linux
Find the line:
CLASS="--class gnu-linux --class gnu --class os"
And add the –unrestricted option:
CLASS="--class gnu-linux --class gnu --class os --unrestricted"
Save the file and update the GRUB config:
$ sudo update-grub