problems with encrypted passwords

[Dorehami Serehami]

Hello Grub maintainers,

I'm trying to secure GRUB on a Linode server I have. I'm following some instructions I've found on securing GRUB. I've managed to get it working with a plaintext password, but not with an encrypted password.

Here's a simple set of steps to set up the plaintext password:

1. Start with a fresh Linode based on Debian 10 (I have also tried ubuntu 20.04 LTS, with the same results)

2. Do the following:

   cd /etc/grub.d
   cat >> 40_custom << EOF
   set superusers="root"
   password root testing
   EOF
   update-grub
   

3. Now connect to the Linode through Lish (Linode's out-of-band console solution), using SSH.

4. reboot the Linode, and in the Lish session, hit enter when the GRUB menu comes up. You should be prompted for user and password. Supplying root/testing should work.

However, as soon as I add the instructions for encrypting the password, things don't work. All I do is:

1. Run grub-mkpasswd-pbkdf2, supplying it with "testing" as the password to encrypt.
2. Replace the line "password root testing" in the 40_custom file with the line "password_pbkdf2 root grub.pbkdf2.sha512.10000.BCCF091DF7444EF71031E2CAD5C455BD70D00400A1541949CB51C8E7D7F8EC0C1595D74327D1A8E025A1D09552694E40E4D6EB4625D46F7A45BCE86F5C449FAA.247D38CB87C4DA386F22C96A6F390171EA2768D3463EF285C80856639E9934A5DCBFA9CB813AD6EC3D7B3FEF6183F09620A68D2B25C1060B6AACE82686ECF5B4". (if you run the command in step 1, you may get a different password hash).
3. run update-grub
4. Same as step 4, above, except it returns to the Grub Menu (which means authentication failed).

The version of Grub being used is 2.02+dfsg1-20+deb10u2.

If you want to reproduce the above on a Linode, you could easily sign up for a trial account on Linode. But hopefully it is reproducible in other settings.

Is this a known issue? Can you suggest a way to work around this?

thanks!