How to Add Password Protect to Grub Boot Menu in Linux Mint, Ubuntu, Debian

This tutorial shows how to add a password protect to the startup boot-menu in Linux.

As you may know, hacking password in Linux is easy. By going to command console or recovery mode from Grub boot-menu, others can reset user password via a few commands.

So if you’re not using Linux in a private place, encrypt your file system or add password protect to boot menu is highly recommended. And here’s how to do the latter option.

1. Please do following steps carefully! A mistake may cause your system refuse to boot, though you can rescue via a bootable Linux USB installer.

2. If you have Dual or Multiple Linux OSes in boot-menu, boot the first entry and do below steps.

Supported Systems.

This tutorial will work on Ubuntu, Debian, Linux Mint, Arch Linux, Fedora, and all other Linux using Grub boot-loader.

Once done, you’ll get the screen to type username and password when booting or editing a menu entry:

Generate a hashed password.

This step is for those want to encrypt the password, so even login user cannot view the password in configuration file.

Firstly open terminal from system app launcher.

When terminal opens, run command:

grub-mkpasswd-pbkdf2

Type a desired password and confirm (Remember or write down the password you type! It will be used for booting your Linux).

Finally copy the output string starts with “grub.pbkdf2.sha512….” as the picture shows. That’s the encryption key for your password.

Add Password Protect to Grub boot-menu.

1.) Now edit the configuration file by running command in terminal:

sudo nano /etc/grub.d/40_custom
Here I use nano, the universal command line text editor. You can replace it with your favorite text editor.

2.) When the file opens, scroll down and add two new lines from either one below:

  • Write the password in plain text. In the case, USER_NAME is merilyn and PASSWORD is 564564
    set superusers="USER_NAME"
    password USER_NAME PASSWORD

  • Set the password using encryption key. USER_NAME is merilyn in the picture and the key is copied from the last step.
    set superusers="USER_NAME"
    password_pbkdf2 USER_NAME encryption_key
    Just note the second line starts with "password_pbkdf2" which is different to previous method.

Finally, press Ctrl+X, type y and hit Enter to save the file.

3.) Apply changes.

Finally save the file, and update grub by running command in terminal:

sudo update-grub

NOTE for Fedora users: updating grub need to run this command for UEFI-boot:

grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg

Or use this command to legacy BIOS-boot:

grub2-mkconfig -o /boot/grub2/grub.cfg

Only password protect for editing menu or Grub command line.

For choices, you can add --unrestricted to menu entry. So any user can boot the menu entries, but when trying to edit menu, go sub-menu, access Grub command console, it will ask to type user and password.

To do so, open terminal and run command to edit the 10_linux configuration file:

sudo nano /etc/grub.d/10_linux

scroll down and add --unrestricted as value of line ‘CLASS=”–class gnu-linux –class gnu –class os”‘.

After that, save the file (press Ctrl+X, type y and hit Enter) and update grub to apply change.

Conclusion.

Though adding password protect to Grub boot-menu is possible, others can still hack you system via an USB installer. So encrypt your file system is the best choice so far.

And password protect for only editing menu entry and command console is not perfect! Because a system update for Grub package will overwrite the /etc/grub.d/10_linux file.

Merilyn Ne
Hi, I'm Merilyn Ne, a geek who has been working on Ubuntu Linux for many years and would like to write useful tips for beginners. Forgive me for language mistakes. I'm not a native speaker of English.