How to Reset GRUB Password in Linux

GRUB2 (GRand Unified Bootloader) is the default bootloader on Linux. It is a multiboot loader. A multiboot loader enables the host to boot with different operating systems, one at a time. It also provides options to pass kernel parameters and start maintenance mode. Maintenance mode allows the user to change configuration files and system settings. It creates security risks. For example, a user can reset the root password in maintenance mode and use it to gain unauthorized access to the system. To mitigate security risks, GRUB2 supports password protection. If we enable it, only authorized users can access GRUB options at boot time.

Protecting GRUB with a password

The grub2-setpassword command sets a password on GRUB menu entries. Log in from the root account, open a terminal and run the following command.

#grub2-setpassword

Enter the password and press the Enter key to confirm the password:

Enter password:
Confirm the password:

This command creates a new file /boot/grub2/user.cfg and saves the supplied password in the hashed format.

Verifying GRUB password

Restart the system. Press the e key when the GRUB menu screen appears.

We need a username and password to access menu entries. The default username is root. The password is what we set earlier.

After successful authentication, it shows GRUB menu entries.

Removing GRUB password

To remove a GRUB password, login from the root user and remove the /boot/grub2/user.cfg file.

#rm /boot/grub2/user.cfg

To verify this, restart the system and press the e key when the GRUB menu screen appears.

If it shows GRUB menu entries, it verifies that entries are not password-protected.

Understanding GRUB2 configuration and structure

The /boot/grub2/grub.cfg is the main configuration file. GRUB2 dynamically generates it from the files listed in the /etc/grub.d/ directory. Each file in this directory defines a separate functionality of GRUB2.

If you want to customize any GRUB2 feature, update the related files in this directory. It will automatically merge the change or customization in the main configuration file at the following rebuilds. To rebuild it immediately, use the following command.

#grub2-mkconfig -o /boot/grub2/grub.cfg

The /boot/grub2/grub.cfg file defines the root user with the password the grub2-setpassword command sets. Therefore, changing a GRUB menu entry requires the name and password of the root user.

Before RHEL 9, RedHat used separate locations to save the user.cfg file for BIOS and UEFI installations. For BIOS installation, it used /boot/grub2/ directory. For UEFI installation, it used the /boot/efi/EFI/redhat/ directory.

To remove the GRUB password, delete the related file. Remove the /boot/grub2/user.cfg file for the BIOS installation.

#rm /boot/grub2/user.cfg

Remove the /boot/efi/EFI/redhat/user.cfg for the UEFI installation file.

#rm /boot/efi/EFI/redhat/user.cfg

After RHEL 9, the /boot/grub2/ is the standard location for both installations. Deleting it from here removes the GRUB password on both installations.

You can check the following article for more information.
https://access.redhat.com/articles/6718341#rhel9

The /etc/grub.d/40_custom file saves custom configuration. Administrators use it to configure multiple GRUB passwords or a user account other than the root.

Following are the default contents of this file.

  #!/bin/sh
  exec tail -n +3 $0

  # This file provides an easy way to add custom menu entries.  Simply type the
  # menu entries you want to add after this comment.  Be careful not to change

If deleting the user.cfg file does not remove the GRUB password, check this file for custom entries. If it contains manual entries, take the backup of the existing file and remove all contents apart from the default.

Following is the sample file with the custom entries.

#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
set superuser="root"
export superusers
password_pbkdf2 root grub.pbkdf2.sha512.10000.42CECFEC0DF5B2EAB4E6F2E70A2F2DB966D8879E3E6B9DC715
E58287FE0B2E904A31EE621038CC91EA61DDE344DC9C78C3C27D273C4773886527E4D343175FC4DF77570C06011FBD64
EA9A857617F8D3F0C489EAC84334787C548.DFA0CAEB3447B765AEE9877B403DB48C22BDDBCCAAD4E4A7FA70F713224DBF19C34551F2A32

Remove the highlighted part from the above file.

The user.cfg is also a dynamic file. The grub2-setpassword command generates and uses this file to save the configured password. After deleting this file, if you run this command again, the command will create the file again.

GRUB2 uses three items to boot the system: a kernel file, the drive name and the partition number where the kernel file resides, and an initial RAM disk. It can boot the system in the following two ways:-

1. Automatically finding and loading the desired kernel.
2. Loading another bootloader and allowing it to load the desired kernel.

The first option is the default. The second option is called chain loading. It uses this option when we install multiple operating systems on the same system.

Conclusion

GRUB is the default bootloader on Linux. On boot, it provides a menu that allows us to boot the system with custom configuration. Securing menu entries is essential to protect the system from unauthorized access. This tutorial explained how to configure a GRUB password or remove an existing password.