grub-mkpasswd-pbkdf2

grub-mkpasswd-pbkdf2

grub-mkpasswd-pbkdf2 is a utility program provided as part of the GRUB (GRand Unified Bootloader) suite. Its primary purpose is to generate PBKDF2 (Password-Based Key Derivation Function 2) hashes of plaintext passwords. These hashes are then used within the grub.cfg configuration file to secure GRUB menu entries or to protect the entire bootloader configuration.

When executed, the command interactively prompts the user to enter a password and then to confirm it. It then outputs the PBKDF2-hashed password, typically prefixed with grub.pbkdf2., to standard output. This output includes the salt and iteration count, making the hash robust against brute-force attacks. This tool is essential for administrators seeking to add a layer of security to their boot process, preventing unauthorized users from modifying boot parameters or accessing restricted boot options.

The password generated by grub-mkpasswd-pbkdf2 protects only the GRUB bootloader configuration and does not secure the operating system itself. Physical access to the machine can still allow an attacker to bypass GRUB password protection by booting from removable media or by directly modifying the boot drive (though this requires more advanced knowledge). The security of the GRUB password is entirely dependent on the strength and uniqueness of the chosen password.

After generating a password using grub-mkpasswd-pbkdf2, the output hash can be placed in /boot/grub/grub.cfg. For example, to protect a specific menu entry, you would add a line like:
password_pbkdf2 username grub.pbkdf2.hash...
or to protect the entire bootloader:
set superusers="username"
password_pbkdf2 username grub.pbkdf2.hash...
This ensures that only users with the correct password can access or modify the specified GRUB options.

The use of PBKDF2 for GRUB passwords was introduced with GRUB2, the successor to GRUB Legacy. GRUB Legacy typically used simpler hashing methods like MD5crypt for password protection. The adoption of PBKDF2 reflects a general trend towards stronger, more computationally intensive password hashing algorithms to enhance security against dictionary and brute-force attacks, aligning GRUB's security features with modern cryptographic best practices.

grub-mkconfig(8), grub-install(8), grub(8), grub.cfg(5)