grub2-mkpasswd-pbkdf2

Create a password hash for GRUB 2 using PBKDF2 and print it to stdout

$ sudo grub2-mkpasswd-pbkdf2 [[-c|--iteration-count]] [number_of_pbkdf2_iterations] [[-s|--salt]] [salt_length]

grub2-mkpasswd-pbkdf2 [-i ITERATION] [-s SALT] [--pbkdf2-algorithm ALGORITHM] [--password PASSWORD]

-i ITERATION, --iteration=ITERATION
    Specifies the number of iterations (rounds) for the PBKDF2 algorithm. A higher number increases security but also computation time. The default is typically 10000 or more.

-s SALT, --salt=SALT
    Specifies the salt to use for the PBKDF2 algorithm. If not provided, a random salt will be generated automatically. Using a unique, random salt for each password is a security best practice.

--pbkdf2-algorithm=ALGORITHM
    Specifies the underlying hashing algorithm to use for PBKDF2. Common choices include sha512 (the default), sha256, etc. It's recommended to use a strong algorithm like sha512.

--password=PASSWORD
    Provides the password directly on the command line. For security reasons, it is generally recommended to avoid this option as the password might be stored in shell history or visible to other users via process lists. Instead, let the command prompt for interactive input.

--help
    Displays a help message and exits.

--version
    Displays version information and exits.

The grub2-mkpasswd-pbkdf2 command is a utility designed to generate highly secure, PBKDF2-hashed passwords specifically for use with the GRUB2 bootloader.

GRUB2 (Grand Unified Bootloader, version 2) can be configured to require a password for accessing certain menu entries, preventing unauthorized users from modifying boot parameters, or even accessing the GRUB command line. Unlike older hashing methods (e.g., MD5 or SHA-1) that are susceptible to modern cracking techniques, PBKDF2 (Password-Based Key Derivation Function 2) adds significant computational cost to the hashing process. This 'key stretching' makes brute-force attacks and rainbow table attacks much more difficult and time-consuming, enhancing the security of your bootloader.

The command takes a password as input (either interactively or via an option) and outputs a string containing the salt, iteration count, and the PBKDF2 hash. This string is then used in the grub.cfg configuration file to secure GRUB2 menus or the GRUB console. Proper configuration of GRUB2 with these strong passwords is a crucial step in securing the boot process of a Linux system.

Using the --password option on the command line is highly discouraged due to security risks, such as the password being exposed in shell history, process lists (e.g., ps output), or system logs. Always prefer interactive password input when possible.

The generated password hash must be correctly integrated into the GRUB2 configuration file (typically /boot/grub/grub.cfg or /etc/grub.d/ scripts) for it to take effect. Incorrect placement or syntax will prevent the password from working.

Ensure a sufficiently high iteration count (e.g., 10000 or more) is used for robust security against brute-force attacks.

The output of grub2-mkpasswd-pbkdf2 is a string like 'grub.pbkdf2.v1.username.salt.iteration.hash'. This string is then used within your grub.cfg file (or a file included by it, like /etc/grub.d/40_custom) to set a password for GRUB. A common setup involves defining superusers and associating the hash with a username, for example:
set superusers="myuser"
password_pbkdf2 myuser grub.pbkdf2.v1.myuser.salt.iteration.hash
This secures specific menu entries using the --users option or the entire GRUB console.

The adoption of PBKDF2 for password hashing in GRUB2 represents a significant security enhancement over older, less secure hashing methods like MD5 or SHA-1. This command, grub2-mkpasswd-pbkdf2, was introduced to facilitate the generation of these stronger passwords, aligning GRUB2's password protection capabilities with modern cryptographic best practices. Its development reflects the ongoing effort to secure all layers of a Linux system, including the crucial boot process, against evolving security threats.

grub-mkconfig(8), grub-install(8), grub(8), grub-mkpasswd(1)