When enabled, GRUB is configured with a superuser and a password_pbkdf2 hash. This protects interactive editing and command line access at the boot menu.

Boot entries that are marked --unrestricted can still be started without a password. The original password is not stored; only the GRUB PBKDF2 hash is saved in the configured password script.