Product SiteDocumentation Site

21.6.2. Password Encryption

By default, passwords are saved in plain text in GRUB 2 scripts. Although the files cannot be accessed on boot without the correct password, security can be improved by encrypting the password using the grub2-mkpasswd-pbkdf2 command. This command converts a desired password into a long hash, which is placed in the GRUB 2 scripts instead of the plain-text password.
  1. To generate an encrypted password, run the grub2-mkpasswd-pbkdf2 command on the command line as root.
  2. Enter the desired password when prompted and repeat it. The command then outputs your password in an encrypted form.
  3. Copy the hash, and paste it in the template file where you configured the users, that is, either in /etc/grub.d/01_users or /etc/grub.d/40_custom.
    The following format applies for the 01_users file:
    cat <<EOF
    set superusers="john"
    password_pbkdf2 john grub.pbkdf2.sha512.10000.19074739ED80F115963D984BDCB35AA671C24325755377C3E9B014D862DA6ACC77BC110EED41822800A87FD3700C037320E51E9326188D53247EC0722DDF15FC.C56EC0738911AD86CEA55546139FEBC366A393DF9785A8F44D3E51BF09DB980BAFEF85281CBBC56778D8B19DC94833EA8342F7D73E3A1AA30B205091F1015A85
    EOF
    The following format applies for the 40_custom file:
    set superusers="john"
    password_pbkdf2 john grub.pbkdf2.sha512.10000.19074739ED80F115963D984BDCB35AA671C24325755377C3E9B014D862DA6ACC77BC110EED41822800A87FD3700C037320E51E9326188D53247EC0722DDF15FC.C56EC0738911AD86CEA55546139FEBC366A393DF9785A8F44D3E51BF09DB980BAFEF85281CBBC56778D8B19DC94833EA8342F7D73E3A1AA30B205091F1015A85