diff --git a/confluent_server/confluent/config/attributes.py b/confluent_server/confluent/config/attributes.py
index 3537864b..b84f7847 100644
--- a/confluent_server/confluent/config/attributes.py
+++ b/confluent_server/confluent/config/attributes.py
@@ -101,6 +101,9 @@ node = {
         'description': 'The password of the local root password. '
                        'This is stored as a non-recoverable hash.',
     },
+    'crypted.grubpassword': {
+        'description': 'Password required to modify grub behavior at boot',
+    },
     'crypted.selfapikey': {
         'description': ('Crypt of api key for self api requests by node'),
     },
diff --git a/confluent_server/confluent/config/configmanager.py b/confluent_server/confluent/config/configmanager.py
index 3eedb3a0..0fb9c6d1 100644
--- a/confluent_server/confluent/config/configmanager.py
+++ b/confluent_server/confluent/config/configmanager.py
@@ -52,6 +52,7 @@ except ModuleNotFoundError:
     import dbm
 import ast
 import base64
+from binascii import hexlify
 import confluent.config.attributes as allattributes
 import confluent.config.conf as conf
 import confluent.log
@@ -71,6 +72,7 @@ import eventlet.event as event
 import eventlet.green.select as select
 import eventlet.green.threading as gthread
 import fnmatch
+import hashlib
 import json
 import msgpack
 import operator
@@ -484,6 +486,17 @@ def _get_valid_attrname(attrname):
     return attrname
 
 
+def grub_hashcrypt_value(value)
+    salt = os.urandom(64)
+    algo = 'sha512'
+    rounds = 10000
+    crypted = hexlify(hashlib.pbkdf2_hmac(algo, value, salt, rounds))
+    crypted = crypted.upper()
+    salt = hexlify(salt).upper()
+    ret = 'grub.pbkdf2.{0}.{1}.{2}.{3}'.format(algo, rounds, salt, crypted)
+    return ret
+
+
 def hashcrypt_value(value):
     salt = confluent.util.stringify(base64.b64encode(os.urandom(12),
                                     altchars=b'./'))
@@ -2206,6 +2219,8 @@ class ConfigManager(object):
                     del newdict['value']
                 if 'value' in newdict and attrname.startswith("crypted."):
                     newdict['hashvalue'] = hashcrypt_value(newdict['value'])
+                    newdict['grubhashvalue'] = grub_hashcrypt_value(
+                        newdict['value'])
                     del newdict['value']
                 cfgobj[attrname] = newdict
                 if attrname == 'groups':
diff --git a/confluent_server/confluent/selfservice.py b/confluent_server/confluent/selfservice.py
index ab3cb7d4..897c53d1 100644
--- a/confluent_server/confluent/selfservice.py
+++ b/confluent_server/confluent/selfservice.py
@@ -64,7 +64,7 @@ def handle_request(env, start_response):
         if ncfg['prefix']:
             ncfg['ipv4_netmask'] = netutil.cidr_to_mask(ncfg['prefix'])
         deployinfo = cfg.get_node_attributes(
-            nodename, ('deployment.*', 'console.method', 'crypted.rootpassword',
+            nodename, ('deployment.*', 'console.method', 'crypted.*',
                        'dns.*'))
         deployinfo = deployinfo.get(nodename, {})
         profile = deployinfo.get(
@@ -80,6 +80,8 @@ def handle_request(env, start_response):
             ncfg['protocol'] = 'https'
         ncfg['rootpassword'] = deployinfo.get('crypted.rootpassword', {}).get(
             'hashvalue', None)
+        ncfg['grubpassword'] = deployinfo.get('crypted.grubpassword', {}).get(
+            'grubhashvalue', None)
         if currtzvintage and currtzvintage > (time.time() - 30.0):
             ncfg['timezone'] = currtz
         else: