How to password Grub2

There are several methods to protect the Grub in our favorite distribution. I particularly tried with this variant and with This other, but none worked for me. Maybe I was missing something and it is a shame, because when generating the passwords with Hash, the thing is more secure.

But anyway, I will show you one that did work wonders for me, and that asks me for username and password when I try to edit the Grub. The steps are simple:

1- We edit the file /etc/grub.d/00_header:

$ sudo nano /etc/grub.d/00_header

2- We add the following lines to the final:

cat << EOF
  set superusers="elav"
    password elav micontraseña

In my case, I chose my nickname as a superuser, but you can choose whatever you want. If we want, we can add more users, and it would look like this:

cat << EOF
  set superusers="elav"
    password elav micontraseña
    password kzkggaara sucontraseña

We save and update the Grub.

sudo update-grub2

We reboot and when we try to edit the Grub with the key "and" It will ask us for username and password 😀

The content of the article adheres to our principles of editorial ethics. To report an error click here.

8 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   fucking master said

    fucking freaky

  2.   Hugo said

    I don't know if you knew that a while ago I added precisely that approach to the GUTL Wiki. In my opinion, the next interesting thing to do is a tutorial on how to password protect a particular GRUB menu entry. Are you excited? 😉

    1.    elav <° Linux said

      In fact it can be done. I'll keep it in mind..


  3.   LZN said

    Hello, if it works put the hash option.

    So that it is neat and works.
    The way to do it is like this.
    You have to add the following lines at the end of the file /etc/grub.d/40_custom

    set superusers = »user»
    password_pbkdf2 user and here all the hash that was generated by grub-mkpasswd-pbkdf2

    save and run update-grub
    and voila =)

    1.    elav <° Linux said

      Wow! Thanks for the tip 😉

  4.   Hugo said

    Thank you, I finally found what I was looking for.

  5.   fran said

    It worked for me. Thank you very much 🙂

  6.   bapgnu said

    Just to enrich the exposed. While the method looks very easy to apply, I think, correct me if I'm wrong, it is easily vulnerable.
    Test: If I were to run a live, I could mount the disk and read the file in question, since it is in plain text. With the information obtained, you could edit the grub to get root access.
    I welcome your comments.