Hey all!
Running your Linux Os and think you have secured it with user password to restrict access?
Well, that is not the case because somebody can easily change your user password using grub thus compromising the security of your system. Then how do we curb this??
You have to set grub password and this is how to.
Edit the file:


Create your password by typing:

# grub-mkpasswd-pbkdf2

Enter the desired password.

This will generate a long and encrypted password as shown in the screen-shot below.

grub password

Copy the whole generated code
Edit the file /etc/grub.d/00_header using vi or leafpad e.g

# vi /etc/grub.d/00_header


# sudo leafpad /etc/grub.d/00_header

Go to the end of the file, on vi use G to go to the end of the file, if on the leafpad scroll to the end of the file.
Type the following command;

cat << EOF
set superusers="username"
password_pbkdf2 username 'paste the generated code copied above here'

For instance, in my case check the screenshot

grub password 02

Save the changes and exit the editor & update grub using either of the commands;

# update-grub


# grub-mkconfig -o /boot/grub/grub.cfg

To test the changes, reboot the system. If the procedure above was successful, once you select grub entry to boot, you will be prompted to enter username and password. Enter those credentials and there you go,, your grub is secured!!!!

On The Other Hand,

In case you forget your password or grub password fails to work, this is how to restore the changes using live bootable flash-drive or DVD.
Check the link, on how to make a bootable flash drive. Once you have created one, boot the system using it.

Once you boot into live, follow the procedure here given.
Launch the gparted to check the partition where system OS is installed (check the screenshot for my case)

gparted partition

Mount the Linux OS root Partition using the following command

# sudo mount /dev/sda6 /mnt/
# cd /mnt/

Then type the following command as it is:

# for i in /sys /proc /run /dev; do sudo mount --bind "$i" "/mnt$i"; 

Edit the file /etc/grub.d/00_header using

vi /etc/grub.d/00_header

Remove the added lines at the end of it, as in below for my case,

cat << EOF
set superusers="Koromicha"
password_pbkdf2 Koromicha grub.pbkdf2.sha512.10000.0EF3409AFA03D25C3CFCC47EE7664B8BE6A9554D5D9ADBB9D78

Update grub

# update-grub

Install grub in Master Boot Record(MBR) using the following command

# grub-install /dev/sda

Update grub again to effect the changes:

# update-grub

Reboot your system and the grub password prompt is gone!!!

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!

As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.


  1. Thanks. I used this method but I didn't want to enter user name and password every time I boot, so I edited /boot/grub/grub.cfg file adding ' –unrestricted' next to a menu entry for allowing any user to boot the OS while preventing the user from editing the entry and preventing access to the grub command console.

    like this:
    menuentry 'Kali GNU/Linux' –unrestricted –class kali…

    Also,I read somewhere that for preventing that anyone edit GRUB's boot entries or use its command-line mode (allowing to boot without password) you should add the encrypted password in the file /etc/grub.d/40_custom (I haven't tried)


Please enter your comment!
Please enter your name here