An unprotected GRUB bootloader allows anyone with physical or console access to boot into single-user mode, reset the root password, or modify kernel parameters. Securing GRUB with a password prevents unauthorized boot modifications.
Why Secure GRUB?
- Prevent unauthorized access to single-user/rescue mode
- Block kernel parameter modifications (init=/bin/bash)
- Protect against console-based attacks on VPS (VNC access)
- Meet compliance requirements for physical security controls
Setting a GRUB Password
# Generate a hashed password
grub-mkpasswd-pbkdf2
# Enter password: ********
# Confirm: ********
# PBKDF2 hash: grub.pbkdf2.sha512.10000.LONGHASH...
# Edit GRUB configuration
sudo nano /etc/grub.d/40_custom
# Add these lines:
set superusers="grubadmin"
password_pbkdf2 grubadmin grub.pbkdf2.sha512.10000.LONGHASH...
# Update GRUB
sudo update-grubAllow Normal Boot Without Password
# By default, the password is required even to boot
# To require it only for editing entries:
sudo nano /etc/grub.d/10_linux
# Find the menuentry line and add --unrestricted:
# menuentry "Ubuntu" --unrestricted {
# This allows booting without password but requires
# password to edit boot parametersTesting
# Reboot and try to edit a GRUB entry (press e at boot menu)
# You should be prompted for username and password
# Normal boot should work without credentials (if --unrestricted is set)Recovery
# If you forget the GRUB password:
# 1. Boot from a rescue/live ISO
# 2. Mount your root partition
# 3. Edit /etc/grub.d/40_custom to remove the password lines
# 4. Run update-grub from chroot
# 5. RebootBest Practices
- Use a strong, unique password for GRUB (different from root)
- Store the password securely in your password manager
- Use --unrestricted for normal boot entries to avoid lockouts
- Test the configuration before relying on it
- Document the recovery procedure for your team