If you operate in an environment where boot tampering is a concern, enable Secure Boot in firmware (UEFI/BIOS). Confirm your boot chain supports it before enabling on remote systems.
GRUB can be protected with a password so interactive edits at boot require authentication.
Generate a PBKDF2 hash:
sudo grub-mkpasswd-pbkdf2
Then add a superuser stanza in /etc/grub.d/40_custom:
set superusers="admin"
password_pbkdf2 admin <PBKDF2_HASH_FROM_grub-mkpasswd-pbkdf2>
Then run:
sudo update-grub
Test this carefully, especially on remote servers.
Full-disk encryption is easiest during installation. For existing systems, adding LUKS usually requires migrating data to an encrypted volume.
If you are building a new system: