Protect GRUB Bootloader with Password on RHEL 10 / Rocky Linux 10 / AlmaLinux 10

One of the first things you should do after installing RHEL 10, Rocky Linux 10, or AlmaLinux 10 is lock down the GRUB bootloader with a password. Without this protection, anyone with physical access to your server can interrupt the boot process, edit kernel parameters, and gain root access in seconds. This guide walks through the full process of setting a GRUB password, verifying it works, and understanding the differences between UEFI and BIOS configurations.

Why You Need to Protect the GRUB Bootloader

If GRUB is left unprotected, an attacker with console or physical access can:

• Press e at the GRUB menu to edit boot entries and append init=/bin/bash or single to boot into single-user mode with full root privileges.
• Use the rd.break technique to interrupt the initramfs early, remount the root filesystem, and reset the root password without knowing the current one.
• Boot from a custom kernel or initramfs image to bypass all security controls on the system.
• Disable SELinux enforcement at boot time by adding selinux=0 to the kernel command line.

Setting a GRUB password means that editing boot entries or accessing the GRUB command line requires authentication first. This is a baseline hardening step that every production server should have in place.

Prerequisites

• A running installation of RHEL 10, Rocky Linux 10, or AlmaLinux 10.
• Root or sudo access to the system.
• Console or SSH access (you will need console access for the reboot verification step).

Understanding UEFI vs BIOS GRUB Paths

Before making changes, you need to know whether your system boots in UEFI or legacy BIOS mode. The GRUB configuration file lives in a different location depending on the firmware type:

Firmware Mode	GRUB Config Path
BIOS (Legacy)	/boot/grub2/grub.cfg
UEFI	/boot/efi/EFI/redhat/grub.cfg (RHEL 10) /boot/efi/EFI/rocky/grub.cfg (Rocky Linux 10) /boot/efi/EFI/almalinux/grub.cfg (AlmaLinux 10)

Check which mode your system uses:

[ -d /sys/firmware/efi ] && echo "UEFI" || echo "BIOS"

You should see either UEFI or BIOS printed to the terminal. Keep this in mind as the grub2-mkconfig output path differs based on the result.

Step 1 – Generate a GRUB Password Hash with grub2-setpassword

On RHEL 10 and its derivatives, the recommended method for setting a GRUB bootloader password is the grub2-setpassword command. This tool handles password hashing and file creation automatically, which reduces the chance of configuration mistakes.

Run the following command as root:

sudo grub2-setpassword

You will be prompted to enter and confirm the password:

Enter password:
Confirm password:

This command does two things behind the scenes:

1. Creates or updates the file /boot/grub2/user.cfg with a PBKDF2-hashed version of your password.
2. The hash is stored in the format GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.HASH...

Verify the Password Hash Was Created

Confirm the file exists and contains the hashed password:

sudo cat /boot/grub2/user.cfg

Expected output:

GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.LONGHEXSTRING.ANOTHERLONGHEXSTRING

If you see the hashed password line, the password has been set correctly. The file permissions should be 600 and owned by root:

sudo ls -l /boot/grub2/user.cfg

Expected output:

-rw-------. 1 root root 217 Mar 18 10:00 /boot/grub2/user.cfg

Step 2 – Understand the GRUB User Configuration

The grub2-setpassword command works in conjunction with the script at /etc/grub.d/01_users. This script is included by default on RHEL 10, Rocky Linux 10, and AlmaLinux 10. It reads the password hash from /boot/grub2/user.cfg and injects the superuser definition into the generated grub.cfg.

Examine the contents of this file:

sudo cat /etc/grub.d/01_users

You should see something similar to:

#!/bin/sh -e
cat << EOF
if [ -f \${prefix}/user.cfg ]; then
  source \${prefix}/user.cfg
  if [ -n "\${GRUB2_PASSWORD}" ]; then
    set superusers="root"
    export superusers
    password_pbkdf2 root \${GRUB2_PASSWORD}
  fi
fi
EOF

This script defines root as the GRUB superuser. When GRUB loads, this superuser account is the one you authenticate with when editing boot entries. The username here is a GRUB-internal username – it is not tied to any Linux system account.

Verify the Script is Executable

sudo ls -l /etc/grub.d/01_users

The file should have execute permissions. If not, fix it:

sudo chmod 755 /etc/grub.d/01_users

Step 3 – Regenerate the GRUB Configuration

After setting the password, regenerate the GRUB configuration file so the password protection takes effect on the next boot.

For BIOS systems:

sudo grub2-mkconfig -o /boot/grub2/grub.cfg

For UEFI systems (RHEL 10):

sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

For UEFI systems (Rocky Linux 10):

sudo grub2-mkconfig -o /boot/efi/EFI/rocky/grub.cfg

For UEFI systems (AlmaLinux 10):

sudo grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfg

Verify the GRUB Configuration Contains Password Protection

Check that the generated grub.cfg now includes the superuser and password directives. For a BIOS system:

sudo grep -A5 "superusers" /boot/grub2/grub.cfg

You should see output containing set superusers="root" and a password_pbkdf2 line. If these lines are present, the configuration is correct.

Step 4 – Test the GRUB Password by Rebooting

The only way to confirm this works is to reboot and try editing a boot entry. You need console access for this step – SSH alone is not enough.

sudo reboot

When the GRUB menu appears:

1. Press e to try editing the default boot entry.
2. GRUB should prompt you for a username and password.
3. Enter the username root (the GRUB superuser, not the Linux root account) and the password you set earlier.
4. If authentication succeeds, you will be able to edit the boot entry. If it fails, GRUB will deny access.

Important: The system will still boot normally without requiring a password. The password is only required when someone tries to edit boot entries or access the GRUB command line. This is the default behavior with grub2-setpassword on RHEL 10.

Verify Normal Boot Still Works

Let the system boot without pressing any keys. It should start up normally without asking for credentials. If the system fails to boot, see the Troubleshooting section below.

Superusers vs Restricted Menu Entries

GRUB supports two levels of access control that are worth understanding:

Superuser Access

When you define a superuser with set superusers="root", that account has full access to all GRUB functions – editing entries, accessing the GRUB shell, and booting any entry. This is what grub2-setpassword configures by default.

With a superuser defined, the default behavior on RHEL 10 is:

• Booting the default menu entry does not require a password.
• Editing any menu entry with e requires superuser authentication.
• Accessing the GRUB command line with c requires superuser authentication.

Restricted Menu Entries

If you want to require a password even to boot a specific menu entry (not just to edit it), you need to use the --unrestricted and --users flags in your GRUB menu entry definitions. By default, RHEL 10 adds --unrestricted to all menu entries generated by grub2-mkconfig, which means booting is allowed without a password.

To make all menu entries require a password to boot, you would need to modify /etc/grub.d/10_linux and remove the --unrestricted flag from the menuentry lines. However, be cautious with this approach – if you forget the GRUB password, you will be locked out of booting the system entirely and will need to boot from rescue media to recover.

For most environments, the default behavior (password required only for editing) provides a good balance between security and recoverability.

How to Remove the GRUB Password

If you need to remove the GRUB password protection, the process is straightforward.

Step 1 – Delete the password hash file:

sudo rm /boot/grub2/user.cfg

Step 2 – Regenerate the GRUB configuration.

For BIOS systems:

sudo grub2-mkconfig -o /boot/grub2/grub.cfg

For UEFI systems, use the appropriate path for your distribution as shown in Step 3 above.

Verify the Password Has Been Removed

sudo grep "superusers" /boot/grub2/grub.cfg

This command should return no output. If it still shows superuser lines, verify that /boot/grub2/user.cfg has been deleted and regenerate the configuration again.

Reboot and confirm that pressing e at the GRUB menu allows editing without any password prompt:

sudo reboot

Alternative – Manual GRUB Password Configuration

While grub2-setpassword is the recommended approach, you can also configure the password manually. This is useful if you need to define multiple GRUB users or customize the superuser name.

Step 1 – Generate a password hash manually:

grub2-mkpasswd-pbkdf2

Enter your password when prompted. Copy the entire output line starting with grub.pbkdf2.sha512....

Step 2 – Create a custom configuration script. Create the file /etc/grub.d/40_custom_users:

sudo vi /etc/grub.d/40_custom_users

Add the following content, replacing the hash with your actual output from the previous step:

#!/bin/sh
cat << EOF
set superusers="grubadmin"
password_pbkdf2 grubadmin grub.pbkdf2.sha512.10000.YOUR_HASH_HERE
EOF

Step 3 – Make the script executable:

sudo chmod 755 /etc/grub.d/40_custom_users

Step 4 – If using this manual method, remove the user.cfg file if it exists from a previous grub2-setpassword run to avoid conflicts:

sudo rm -f /boot/grub2/user.cfg

Step 5 – Regenerate the GRUB configuration using the appropriate command for your firmware type (see Step 3 of the main procedure).

Verify the Manual Configuration

sudo grep -A3 "superusers" /boot/grub2/grub.cfg

Confirm that your custom superuser name and password hash appear in the output.

Troubleshooting

GRUB Does Not Prompt for a Password When Pressing ‘e’

If pressing e at the GRUB menu still allows editing without authentication:

• Verify that /boot/grub2/user.cfg exists and contains a valid GRUB2_PASSWORD line.
• Confirm that /etc/grub.d/01_users exists and is executable (chmod 755).
• Regenerate grub.cfg and check that superusers appears in the output file.
• Make sure you regenerated the correct grub.cfg for your firmware type (BIOS vs UEFI).

System Requires Password to Boot (Not Just to Edit)

If the system asks for a password before allowing any boot entry to start:

• Check whether the --unrestricted flag is present on your menu entries in grub.cfg. On a default RHEL 10 installation, all entries should include this flag.
• If it is missing, check /etc/grub.d/10_linux for modifications. Restore the file from the package if needed:

sudo dnf reinstall grub2-common

Then regenerate grub.cfg.

Forgot the GRUB Password

If you have set the GRUB password and forgotten it, you will need to boot from rescue or installation media:

1. Boot from the RHEL 10, Rocky Linux 10, or AlmaLinux 10 installation ISO.
2. Select Troubleshooting and then Rescue a Red Hat Enterprise Linux system (or equivalent for Rocky/Alma).
3. Once in the rescue shell, mount the installed system and chroot into it.
4. Delete /boot/grub2/user.cfg or run grub2-setpassword to set a new password.
5. Regenerate grub.cfg and reboot.

Error: “Authentication Failed” Despite Correct Password

GRUB uses its own keyboard mapping, which may differ from what your OS uses. If you have a non-US keyboard layout, special characters in your password might not map correctly at the GRUB prompt. Use a password with only standard alphanumeric characters and basic symbols to avoid this issue.

GRUB Configuration File is Empty or Missing After grub2-mkconfig

If grub2-mkconfig produces an empty or minimal file:

• Check that the scripts in /etc/grub.d/ are executable. List them with ls -l /etc/grub.d/.
• Verify that /etc/default/grub exists and contains valid settings.
• Run grub2-mkconfig without the -o flag to see the output on screen and check for errors:

sudo grub2-mkconfig

Summary

Protecting the GRUB bootloader with a password is a fundamental hardening step for any RHEL 10, Rocky Linux 10, or AlmaLinux 10 server. The grub2-setpassword command makes this straightforward – it generates the password hash, stores it in /boot/grub2/user.cfg, and works with the existing /etc/grub.d/01_users script to inject the superuser configuration into grub.cfg at generation time. After regenerating the GRUB configuration and rebooting, any attempt to edit boot entries or access the GRUB command line will require authentication. Normal booting continues to work without a password prompt, which keeps operations smooth while still blocking unauthorized changes to the boot process.