One lacking thing about grub 2 was the possibility of asinging a password, so nobody can edit the boot menu to, for instance, pass initial parameters to the kernel, change the initial runlevel or worst, change the root’s password. Recently I saw now it’s posssible to do so, and we let’s see how to do it.
In order to avoid people editing grub 2 menu you must assign a super user and a password, better if the latter is encrypted. Firt you must generate a hash with the wanted phrase, using the grub-mkpasswd-pbkdf2 command, as shown in the above picture. Once the hash has been generated you must edit the /etc/grub.d/00_header, putting the following at the bottom of the file:
cat << EOF set superusers="lgallard" password_pbkdf2 lgallard grub.pbkdf2.sha512.10000.9BF88302B67DCCB25A7B939F5171B36D04AE7B8C1E1FF90511204DC08CCA98E9E9E9332B32E6908D1DF983A42603ACA1E2E8411B0407762C3A1839F707BF34E8.343BD210589487FBAEA3DA4889053206380B9590505F926764ED028FDB38EFD87C76505C9ABC6FA191CEE4AB3C407988C73AA773C46FC2A9A49D1078F222E5D9 EOF
In this case, the super user is lgallard, and the hash is the one generated previously. Once you have edited the file you must apply the changes by running the following command:
Now you Grub 2 boot loader is password protected!
Reference: Grub 2 Password Protection