CentLinux

Linux Server, DevOps, Kubernetes, and Beyond

How to set GRUB Password in Linux

Share on Social Media

Learn how to set GRUB password in Linux to enhance your system’s security. Follow our step-by-step guide to protect your boot loader and prevent unauthorized access to boot settings. #centlinux #linux #grub

What is GRUB?

GRUB (Grand Unified Bootloader) is a bootloader package developed to support multiple operating systems and allow the user to select among them during boot-up. It is commonly used in Unix-like operating systems, particularly Linux. Here are some key points about GRUB:

  1. Functionality: GRUB loads the operating system kernel into memory and starts its execution. It is the first software program that runs when a computer starts.
  2. Configuration: GRUB’s configuration file is usually located at /boot/grub/grub.cfg (for GRUB 2). This file is often generated by scripts and should not be edited directly. Instead, users typically edit /etc/default/grub and then run update-grub to apply changes.
  3. Versions: There are two main versions of GRUB:
  • GRUB Legacy: The original version, which is now largely deprecated.
  • GRUB 2: The current version, which includes many improvements and new features.
How to set GRUB Password in Linux
How to set GRUB Password in Linux

Features:

  • Multi-boot support: Allows booting multiple operating systems.
  • Scripting: Supports scripting for advanced configurations.
  • File system support: Can read various file systems, enabling it to load kernels from different partitions.
  • Theming: Supports graphical themes for a more user-friendly interface.

Boot Process:

  • Stage 1: Loads the initial bootloader code from the Master Boot Record (MBR).
  • Stage 1.5: Loads additional code to understand file systems.
  • Stage 2: Loads the GRUB menu and allows the user to select an operating system or kernel.
  1. Recovery: GRUB includes a command-line interface that can be used for troubleshooting and recovery if the system fails to boot.
  2. Customization: Users can customize the boot menu, set default boot options, and configure timeout settings.

GRUB is a powerful and flexible tool that plays a crucial role in the boot process of many systems, providing essential functionality for managing and booting multiple operating systems.

Why set GRUB Password?

You may be aware that, if a person has physical access to your Linux server. It can easily reset the superuser (root) password by booting your Linux OS into Single user mode.

For this purpose, one can easily edit the Kernel command in GRUB menu.

Therefore, it is a best practice to put a strong password on GRUB. So, whenever a user try to edit the menu entries, he has to provide a valid login/password.

Let’s see how we can set GRUB password on Linux Server. There are two ways to this.

61 oTP1X4rL. AC UL160 SR160,160
Apple 2024 MacBook Pro Laptop with M4 chip with 10‑core CPU and 10‑core GPU: Built for Apple Intelligence, 14.2-inch Liquid Retina XDR Display, 16GB Unified Memory, 512GB SSD Storage; Space Black
4.8 out of 5 stars(292)
$1,439.00 (as of February 3, 2025 14:47 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

The Simple Method

In some Linux distros such as Rocky Linux, RHEL or CentOS 8. GRUB bootloader is shipped with a handy command to set a password for boot menu.

This command sets a password for the default root user. Execute it now and set a strong password.

# grub2-setpassword
Enter password:
Confirm password:

Reboot your Linux server to verify the new settings.

GRUB Menu
GRUB Menu

Press ‘e’ to edit the menu entries.

GRUB Login
GRUB Login

The GRUB is now asking for a login credentials. Enter the correct login/password.

Edit GRUB Menu
Edit GRUB Menu

After providing valid credentials, you can now edit your GRUB menu commands.

Similarly, if you want to remove GRUB password, that was set by using the grub2-password command. You have to simply delete the following file.

# rm -f /boot/grub2/user.cfg
# rm -f /boot/efi/EFI/redhat/user.cfg

For a BIOS based system the user.cfg file is located in /boot/grub2/ directory, whereas on an UEFI based system, you may find it within /boot/efi/EFI/redhat/ directory.

Therefore, it is safe to delete it from both locations.

The Advance Method

If you want to create multiple login credentials for GRUB menu then the simple method won’t work for you.

Therefore, you have to use the following method to set passwords on boot menu. and this method works on all Linux distros that are using GRUB bootloader.

Execute the following command to generate password hashes for your users.

# grub2-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.6CE9F4DAF8A6BB2823882EEF3A6CF1792523E4785BD891BF61597DE59BAEBF50787642196FDDC018258C7C00FBC105FAD3F7437936DCD0C72F925A101BADE2CE.EBD8D141809B5793651F198C91560FAB2A522683FB9E4BC95BE961D19A6A3E8F46225B7CF68A7F79BAAB19E99500FA6DC7CC6DB331026733670722D9FD40FDD4

# grub2-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.751F468CC621AF04393BD80D4C1B4C8D5D5B990A9CF6E2AEB7B1424ECE4ED2C4C9FD47FFE33156C11EADA59EFC7B16DBBED3F3A368468DC0A1FDEAEDEC2AB43D.37D24383BB42E891068090A0EF6E60B43F1C800F9A82F88179F7535343EEBAD08326BD1CBD3337ED5E712291B3DBDBB2341DF58E8F012F3D7E7CD10DE4F0B1A4

Edit /etc/grub.d/00_header by using your favorite text editor.

# vi /etc/grub.d/00_header

Add following lines of code at the end of this file.

cat << EOF
set superusers="grubadmin,gruboper"
password_pbkdf2 grubadmin grub.pbkdf2.sha512.10000.6CE9F4DAF8A6BB2823882EEF3A6CF1792523E4785BD891BF61597DE59BAEBF50787642196FDDC018258C7C00FBC105FAD3F7437936DCD0C72F925A101BADE2CE.EBD8D141809B5793651F198C91560FAB2A522683FB9E4BC95BE961D19A6A3E8F46225B7CF68A7F79BAAB19E99500FA6DC7CC6DB331026733670722D9FD40FDD4
password_pbkdf2 gruboper grub.pbkdf2.sha512.10000.751F468CC621AF04393BD80D4C1B4C8D5D5B990A9CF6E2AEB7B1424ECE4ED2C4C9FD47FFE33156C11EADA59EFC7B16DBBED3F3A368468DC0A1FDEAEDEC2AB43D.37D24383BB42E891068090A0EF6E60B43F1C800F9A82F88179F7535343EEBAD08326BD1CBD3337ED5E712291B3DBDBB2341DF58E8F012F3D7E7CD10DE4F0B1A4
EOF

Rebuild GRUB configuration file by executing following command.

# grub2-mkconfig > /boot/grub2/grub.cfg
Generating grub configuration file ...
done

Above command may not be available on some Linux distros such as Debian, where you can alternatively execute following command.

# update-grub

Similarly, if you want to remove the password from boot menu, you can remove this code from /etc/grub.d/00_header and regenerate the GRUB configurations.

712OyBPPL0L. AC UL160 SR160,160
Ozeino Gaming Headset for PC, Ps4, Ps5, Xbox Headset with 7.1 Surround Sound, Gaming Headphones with Noise Cancelling Mic RGB Light Over Ear Headphones for Xbox Series X/S, Switch
4.5 out of 5 stars(4999)
$21.99 (as of February 2, 2025 14:45 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

A Bonus Tip: GRUB Boot Loader

Here, GRUB bootloader will ask for a login credential when user try to edit the menu. However, in some situations you may be required to set a password whenever you try to start your Linux OS.

Edit /etc/grub.d/10_linux in your favorite text editor.

# vi /etc/grub.d/10_linux

Find following line in this file.

CLASS="--class gnu-linux --class gnu --class os --unrestricted"

And remove the –unrestricted option.

CLASS="--class gnu-linux --class gnu --class os"

Regenerate GRUB configuration file and reboot.

GRUB Login
GRUB Login

Now, GRUB will ask you for a password if you try to boot your Linux OS.

Beware that, if you forget this password, then you have to recover GRUB bootloader.

Recommended Training: Complete Linux Training Course to Get Your Dream IT Job 2025 from Imran Afzal

1523066 334c 15
show?id=oLRJ54lcVEg&bids=1597309

Video Tutorial: How to set GRUB Password in Linux

If you prefer a step-by-step visual guide, check out our detailed video tutorial on How to Set a GRUB Password in Linux. The video walks you through the entire process, from accessing the GRUB configuration file to setting up a secure password for protecting your bootloader. This tutorial is especially helpful for users who want a hands-on demonstration of the commands and configurations needed. Watch the video to ensure your Linux system is protected from unauthorized access right from the boot process.

YouTube player

Final Thoughts

Setting a GRUB password in Linux is a crucial security measure to prevent unauthorized access to bootloader settings. By securing GRUB, you can restrict users from modifying kernel parameters or booting into single-user mode without authentication.

After configuring the password, always test your setup to ensure it works as expected. Implementing this additional layer of security enhances system protection, especially on shared or sensitive environments. For a step-by-step visual guide, check out our video tutorial to see the process in action.

Looking for a Linux server expert? I provide top-tier administration, performance tuning, and security solutions for your Linux systems. Explore my Fiverr profile for details!

Looking for something?

Latest Articles

Leave a Reply