Protect grub with password on Debian/Ubuntu/Kali Linux

Hey all!. Are you running on a Linux OS and trust it is well secured with user password to restrict access?. Well, that is not the case because somebody can easily change your user password using grub thus compromising the security of your system. Then how do we curb this?. You have to set grub password and this is how to.

Edit the file:

/etc/grub.d/00_header

Create your password by typing:

sudo grub-mkpasswd-pbkdf2

Enter the desired password.

Enter password:
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.314C33B627B0AB182F94D30F0FBF774D43BB7BE1C10A9A4090E81EC71620AAFB8B783167F1B5DE23BB65E9EF28CE2C065F76CE3872F8FA15DA491CBC788DB046.139473B7C6C02E0E0452D38B2B5B7A309B941A66BCA811BF71F09DFA7538D38375D1430E0D7E481B7875CBD4415CE5B53A7B84ED9EACFAEB0A0179820AD56610

This will generate a long and encrypted password as shown in the screen-shot below.

Copy the whole generated code and edit the file /etc/grub.d/00_header using vim or any text editor you prefer:

sudo vim /etc/grub.d/00_header

Go to the end of the file, on vi use G to go to the end of the file, if on the leafpad scroll to the end of the file.

Type the following command;

cat << EOF
set superusers="username"
password_pbkdf2 username 'paste the generated code copied above here'
EOF

For instance, in my case check the screenshot

Save the changes and exit the editor & update grub using either of the commands;

$ sudo update-grub
Generating grub configuration file ...
Found theme: /boot/grub/themes/kali/theme.txt
Found background image: /usr/share/images/desktop-base/desktop-grub.png
Found linux image: /boot/vmlinuz-5.14.0-kali4-amd64
Found initrd image: /boot/initrd.img-5.14.0-kali4-amd64
Found linux image: /boot/vmlinuz-5.10.0-kali9-amd64
Found initrd image: /boot/initrd.img-5.10.0-kali9-amd64
done

or

sudo grub-mkconfig -o /boot/grub/grub.cfg

To test the changes, reboot the system. If the procedure above was successful, once you select grub entry to boot, you will be prompted to enter username and password. Enter those credentials and there you go,, your grub is secured!!!!

On The Other Hand,

In case you forget your password or grub password fails to work, this is how to restore the changes using live bootable flash-drive or DVD. Once you have created one, boot the system using it.

Once you boot into live, follow the procedure here given. Launch the gparted to check the partition where system OS is installed (check the screenshot for my case)

Mount the Linux OS root Partition using the following command

sudo mount /dev/sda6 /mnt/
cd /mnt/

Then type the following command as it is:

for i in /sys /proc /run /dev; do sudo mount --bind "$i" "/mnt$i"; 
done

Edit the file /etc/grub.d/00_header using

sudo vim /etc/grub.d/00_header

Remove the added lines at the end of it, as in below for my case,

cat << EOF
set superusers="neveropen"
password_pbkdf2 neveropen grub.pbkdf2.sha512.10000.0EF3409AFA03D25C3CFCC47EE7664B8BE6A9554D5D9ADBB9D78
084820957098E4B7F360A28C896EC83522A7A0516701E1E54AC280A5E71D36780D49438579FA5.CC1E540432E3047A
4C8AD38DE14965FA737F7609C73286FEB2EE263FC54F4CBE9ECED1F190AC99DFD8288B768CBBF6FC4134CCF9ABC204
9AC0E39AB28A17866B
EOF

Update grub

sudo update-grub

Install grub in Master Boot Record(MBR) using the following command

sudo grub-install /dev/sda

Update grub again to effect the changes:

sudo update-grub

Reboot your system and the grub password prompt is gone!.