grub2-mkpasswd-pbkdf2
Create GRUB2 password hashes
TLDR
Create a password hash for GRUB 2 using PBKDF2 and print it to stdout
SYNOPSIS
grub2-mkpasswd-pbkdf2 [OPTIONS]
PARAMETERS
--help
Display help information and exit.
--version
Display version information and exit.
--salt=
Specify a salt to use for the PBKDF2 hash. If omitted, a random salt is generated.
--iteration=
Specify the number of iterations to use for the PBKDF2 hash. If omitted, a default value is used. A higher value results in a more secure but slower hash.
DESCRIPTION
The grub2-mkpasswd-pbkdf2 command is a utility that generates PBKDF2 password hashes suitable for use in GRUB 2 configuration files. These hashes are used to protect GRUB 2 boot entries, preventing unauthorized modifications to boot options or access to the GRUB command line. The command prompts for a password, optionally allows specifying a salt or iteration count, and then outputs the generated hash in a format compatible with the password_pbkdf2 GRUB command. This is crucial for securing systems that rely on GRUB 2 as their bootloader, as it prevents tampering with the boot process. Security is achieved via PBKDF2 which allows using different iteration numbers in order to achieve a suitable delay for brute force attacks.
CAVEATS
The security of the generated password depends heavily on the strength of the password chosen and the number of iterations used. Always use a strong, complex password and consider increasing the iteration count to improve security against brute-force attacks.
EXAMPLE USAGE
To generate a password hash with default settings, simply run grub2-mkpasswd-pbkdf2 and enter the desired password when prompted. To specify a salt and iteration count, use the --salt and --iteration options respectively. Example: grub2-mkpasswd-pbkdf2 --salt=my_salt --iteration=10000
CONFIGURATION
The output of grub2-mkpasswd-pbkdf2 needs to be integrated into the grub.cfg configuration file. Usually the command `password_pbkdf2
SEE ALSO
grub2-install(1), grub2-mkconfig(8), grub.cfg
