Avantguard Computer & Security Systems

Secure GRUB

Require Password for Single-User / Recovery Mode

Without a GRUB password, anyone with physical access can boot into single-user mode and gain root without authentication.

Step 1: Require sulogin in Single User Mode

Ensure sulogin is set for emergency targets:

# Verify sulogin is default for emergency/rescue
systemctl cat emergency.service | grep ExecStart

Step 2: Generate GRUB Password Hash

grub-mkpasswd-pbkdf2

Enter and confirm your password. Copy the grub.pbkdf2.sha512... hash.

Step 3: Configure GRUB

# /etc/grub.d/40_custom
set superusers="admin"
password_pbkdf2 admin grub.pbkdf2.sha512.10000.YOURHASHHERE

To allow one entry to boot without password:

# In /etc/grub.d/10_linux, find the menuentry line and add:
--unrestricted

Step 4: Update GRUB

update-grub

Step 5: Test

Reboot and verify that pressing e to edit a GRUB entry prompts for username and password.