passlib.hash.grub_pbkdf2_sha512 - Grub’s PBKDF2 Hash

This class provides an implementation of Grub’s PBKDF2-HMAC-SHA512 password hash [1], as generated by the grub-mkpasswd-pbkdf2 command, and may be found in Grub2 configuration files. PBKDF2 is a key derivation function [2] that is ideally suited as the basis for a password hash, as it provides variable length salts, variable number of rounds.

See also


class passlib.hash.grub_pbkdf2_sha512

This class implements Grub’s pbkdf2-hmac-sha512 hash, and follows the PasswordHash API.

It supports a variable-length salt, and a variable number of rounds.

The using() method accepts the following optional keywords:

  • salt (bytes) – Optional salt bytes. If specified, the length must be between 0-1024 bytes. If not specified, a 64 byte salt will be autogenerated (this is recommended).
  • salt_size (int) – Optional number of bytes to use when autogenerating new salts. Defaults to 64 bytes, but can be any value between 0 and 1024.
  • rounds (int) – Optional number of rounds to use. Defaults to 19000, but must be within range(1,1<<32).
  • relaxed (bool) –

    By default, providing an invalid value for one of the other keywords will result in a ValueError. If relaxed=True, and the error can be corrected, a PasslibHashWarning will be issued instead. Correctable errors include rounds that are too small or too large, and salt strings that are too long.

    New in version 1.6.

Format & Algorithm

A example hash (of password) is


All of this scheme’s hashes have the format grub.pbkdf2.sha512.rounds.salt.checksum, where rounds is the number of iteration stored in decimal, salt is the salt string encoded using upper-case hexadecimal, and checksum is the resulting 64-byte derived key, also encoded in upper-case hexadecimal. It can be identified by the prefix grub.pdkdf2.sha512..

The algorithm used is the same as pbkdf2_sha1: the password is encoded into UTF-8 if not already encoded, and passed through pbkdf1() along with the decoded salt, and the number of rounds. The result is then encoded into hexadecimal.


[1]Information about Grub’s password hashes -
[2]The specification for the PBKDF2 algorithm -