grub2-mkpasswd-pbkdf2

grub2-mkpasswd-pbkdf2 [options]

grub2-mkpasswd-pbkdf2 generates hashed passwords for protecting GRUB 2 bootloader configuration. The output hash can be used in grub.cfg to password-protect boot entries or the GRUB command line.
PBKDF2 (Password-Based Key Derivation Function 2) provides strong protection against brute-force attacks by using multiple iterations and a random salt. The resulting hash is safe to store in configuration files.

-c, --iteration-count COUNT

Number of PBKDF2 iterations (higher is more secure but slower)

Length of the salt in bytes

Requires root privileges to run. The generated hash must be manually added to GRUB configuration. Higher iteration counts increase security but also boot-time password verification delay.

grub2-mkpasswd-pbkdf2 is part of GRUB 2. Password protection for GRUB was introduced to prevent unauthorized users from modifying boot parameters or accessing single-user mode. PBKDF2 replaced simpler hashing methods for improved security.

grub-mkconfig(8), grub-install(8), grub-editenv(1)