Password Protect Grub Boot Menu in Linux

Introduction

By going to the command console or recovery mode from the Grub boot-menu, others can reset user password via a few commands. So if you’re not using Linux in a private place, encrypt your file system or add password protect to boot menu is highly recommended.

Debian

Generate a hashed password

grub-mkpasswd-pbkdf2

Add Password Protect to Grub boot-menu

sudo nano /etc/grub.d/40_custom

Set a user name and add the generated encrypted password.

set superusers="USER_NAME"
password_pbkdf2 USER_NAME encrypted_password

Reconfigure bootloader

sudo update-grub

RHEL

Change to root and set directory

sudo su -
cd /boot/grub2/

Create password and user.cfg

grub2-setpassword

Reconfigure bootloader

grub2-mkconfig -o /boot/grub2/grub.cfg

Only password protect for editing menu or Grub command line

For choices, you can add --unrestricted to menu entry. So any user can boot the menu entries, but when trying to edit menu, go sub-menu, access Grub command console, it will ask to type user and password.

sudo nano /etc/grub.d/10_linux

Change this line from

CLASS="--class gnu-linux --class gnu --class os"

to

CLASS="--class gnu-linux --class gnu --class os --unrestricted"

After that, save the file and update grub to apply change.

Conclusion.

Though adding password protect to Grub boot-menu is possible, others can still hack you system via an USB installer. So encrypt your file system is the best choice so far.