The grub2 password protection procedure can be quite tricky and if you get it wrong there is a possibility of leaving yourself with a non-bootable system. Thus always make a full image backup of your hard-drive first. My recommendation would be to use Clonezilla or PartImage.

If you want to practice this use a virtual machine guest which you can rollback a snapshot.

The procedure below protects unauthorised editing of Grub settings whilst booting i.e, pressing “e” to edit allows you to change the boot options. You could for example, force booting to single user mode and thus have access to your hard-disk.

This procedure should be used in conjunction with hard-disk encryption and a secure bios boot option to prevent booting from live cd.

Almost everything below can be copied and pasted one line at a time.

First lets backup the grub files we will be editing. Open a terminal session and type following:

sudo mkdir /etc/grub.d_backup
sudo cp /etc/grub.d/* /etc/grub.d_backup

Lets create a username for grub:

gksudo gedit /etc/grub.d/00_header &

Scroll to the bottom, add a new empty line and copy and paste the following:

cat << EOF
set superusers="myusername"
password myusername xxxx
password recovery 1234

In this example two usernames were created: myusername and recovery

Next navigate back to the terminal (don’t close gedit):

For Natty and Oneiric users only

Generate an encrypted password by typing


Enter your password you will use twice when prompted

Your PBKDF2 is grub.pbkdf2.sha512.10000.D42BA2DB6CF3418C413373CD2D6B9A91AE4C0EB4E6AA20F89DFA027CA6E6CBF3542CB39E951607E9D651D82700AF47884929BDD193E36CB262CC96201B5789AA.1A9B0033928E3D3D0338583A5BF13AF7D5CC6EC5A41456F8FE8D8EBEB7A093CD0A0CE8688949E6007188ECB3FB0FF916F258602D130CF5C8525FB318FBBE2646

The bit we are interested in starts grub.pbkdf2… and ends BBE2646

Highlight this section using your mouse, right click and copy this.

Switch back to your gedit application, highlight the text “xxxx” and replace this with what you copied (right click and paste)

i.e. the line should look like

password myusername grub.pbkdf2.sha512.10000.D42BA2DB6CF3418C413373CD2D6B9A91AE4C0EB4E6AA20F89DFA027CA6E6CBF3542CB39E951607E9D651D82700AF47884929BDD193E36CB262CC96201B5789AA.1A9B0033928E3D3D0338583A5BF13AF7D5CC6EC5A41456F8FE8D8EBEB7A093CD0A0CE8688949E6007188ECB3FB0FF916F258602D130CF5C8525FB318FBBE2646

All Ubuntu versions (lucid and above)

Save and close the file.

Finally you need to password protect each grub menu entry (all files that have a line that begins menuentry):

cd /etc/grub.d
sudo sed -i -e '/^menuentry /s/ {/ --users myusername {/' *

This will add a new entry i.e users myusername to each line.

Run update-grub to regenerate your grub

sudo update-grub

When you try to edit a grub entry it will ask for your user name i.e. myusername and the password you used.

Reboot and test that username and password is being enforced when editing all of the grub-entries.

Kindly note that remember to press SHIFT during boot to display your grub.

How to Password Protect Grub2 Boot Loader Ubuntu
Tagged on:                                                     

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Recommend on Google