grub-mkpasswd-pbkdf2

grub-mkpasswd-pbkdf2 [OPTION…]

-h, --help
    display this help message and exit

-v, --version
    print version information and exit

--iteration-count=N
    use iteration count N (default: 10000; minimum: 10000)

The grub-mkpasswd-pbkdf2 command is a utility from the GRUB2 bootloader package that generates cryptographically secure password hashes using the PBKDF2 (Password-Based Key Derivation Function 2) algorithm with SHA-512. It is designed to create hashed passwords for securing GRUB boot menus, superuser access, or specific menu entries.

GRUB traditionally used weaker MD5-based hashes via grub-mkpasswd, but PBKDF2 provides resistance against brute-force attacks due to its iterative key derivation process. When invoked, the command interactively prompts the user to enter a password twice for verification. Upon successful match, it outputs a formatted hash string in the form:
grub.pbkdf2.sha512.<iterations>.<salt>.<hash>

This string is then inserted into GRUB configuration files like /etc/grub.d/40_custom or grub.cfg. For example:
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.4A8B...

It supports customization of iteration count for tuning security vs. performance. Non-interactive use is possible by piping the password via stdin, e.g., echo -n 'mypassword' | grub-mkpasswd-pbkdf2, but interactive mode is recommended for security. This tool enhances bootloader security on Linux systems, preventing unauthorized boot option changes or kernel loading.

Password entry is interactive by default and echoed as asterisks for security. Mismatched passwords require restarting. High iteration counts may slow GRUB boot on old hardware. Hashes are GRUB-specific; not compatible with other tools.

grub-mkpasswd-pbkdf2
Enter password: ****
Reenter password: ****
PBKDF2 hash: grub.pbkdf2.sha512.10000.A1B2C3D4E5F67890123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0.123456789ABCDEF0123456789ABCDEF012345678901234567890ABCDEF012345678901234567890ABCDEF0123456789ABCDEF

Add to grub.cfg:
insmod pbkdf2
set superusers="admin"
password_pbkdf2 admin <hash-from-command>
echo 'Entering will lock Grub menu' >&2
Run update-grub after changes.

Introduced in GRUB2 2.02 (2012) to replace insecure MD5 hashing from grub-mkpasswd. PBKDF2 support added for modern crypto standards, with defaults tuned over releases (e.g., SHA-512 in GRUB 2.04+). Widely used since Ubuntu 16.04 and Fedora 20+ for secure boot.

grub-mkpasswd(8), grub-install(8), update-grub(8), grub.cfg(5)