Enabling a GRUB2 password can lock your operating system from intruders even with physical access to your machine. Add to it a BIOS password lock and all removable bootable media disabled, your device is quite safe from any normal attacks. Here’s the procedure to add a password to your GRUB2 on Ubuntu. It is tested on Ubuntu Trusty on a UEFI laptop that doesn’t have secure boot feature. So adding a GRUB password works as an alternative security measure. All the steps should be run as root or sudoer.
- Generate the PBKDF2 hash of your password.
# grub-mkpasswd-pbkdf2 Enter password: Reenter password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.942F4587C48F7A...
- Edit /etc/grub.d/40_custom and add the following at the end of the file:
set superusers="root" password_pbkdf2 root grub.pbkdf2.sha512.10000.942F4587C48F7A...
- Regenerate GRUB2 configuration
# grub-mkconfig -o /boot/grub/grub.cfg
Note that you may need to use the following commands on a BIOS device:
# grub-mkpasswd-pbkdf2 [Step 1] & # grub2-mkconfig -o /boot/grub2/grub.cfg [Step 3]
To clear the password, edit /etc/grub.d/40_custom and delete the lines added in Step 2. Run the command in Step 3.