grub2-mkpasswd-pbkdf2

Create a password hash for GRUB 2 using PBKDF2 and print it to stdout

$ sudo grub2-mkpasswd-pbkdf2 [[-c|--iteration-count]] [number_of_pbkdf2_iterations] [[-s|--salt]] [salt_length]

grub2-mkpasswd-pbkdf2 [--iteration-count=N]

--iteration-count=N
    Number of PBKDF2 iterations (default: 10000; higher slows verification but improves security)

The grub2-mkpasswd-pbkdf2 command is a utility from the GRUB2 bootloader package used to generate secure PBKDF2 (Password-Based Key Derivation Function 2) hashes for passwords. It prompts the user to enter a password twice for verification and outputs a hashed string in the format grub.pbkdf2.sha512.$iterations.$salt.$hash.

This hash is designed for use in GRUB2 configuration files (grub.cfg) to protect boot menu entries, superuser access, or specific commands with password authentication. By using PBKDF2 with SHA-512, it provides resistance against brute-force attacks through a configurable number of iterations, balancing security and boot performance.

Common workflow: Run the command, input your desired password, then paste the generated hash into grub.cfg lines like password_pbkdf2 superuser <hash> or tied to a username with set superusers="user"; password_pbkdf2 user <hash>. After updating, regenerate the config with grub2-mkconfig and reboot to test. This replaces insecure plaintext passwords in GRUB2 setups.

Hash is GRUB2-specific; high iteration counts may delay boot on slow hardware. Always verify password entry. Not for interactive use—stdin piping unsupported.

$ grub2-mkpasswd-pbkdf2
Enter password: ****
Reenter password: ****
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.4A8B9C2D3E4F5G6H7I8J9K0L1M2N3O4P5Q6R7S8T9U0V1W2X3Y4Z5A6B7C8D9E0F.1A2B3C4D5E6F7G8H9I0J1K2L3M4N5O6P7Q8R9S0T1U2V3W4X5Y6Z7A8B9C0D1E2F3

Use in grub.cfg: password_pbkdf2 root <above_hash>

Default 10000 iterations recommended; test on target hardware. Store grub.cfg securely as it contains no plaintext but reveals iteration/salt details.

Introduced in GRUB2 (version 2.02+, around 2012) to replace weak MD5 or plaintext password hashing, aligning with modern crypto standards like NIST recommendations for key derivation.

grub2-mkconfig(8), grub2-editenv(8), grub-mkpasswd-pbkdf2(8)