diff --git a/linux-config-secure-grub.yaml b/linux-config-secure-grub.yaml
new file mode 100644
index 0000000..8f826d4
--- /dev/null
+++ b/linux-config-secure-grub.yaml
@@ -0,0 +1,12 @@
+---
+
+- hosts: '{{ ip_addr }}'
+  become: yes
+  become_method: sudo
+  gather_facts: yes
+
+  tasks:
+
+    - name: "[CONFIG SECURE GRUB] configure secure grub"
+      import_role:
+        name: config-secure-grub
diff --git a/roles/config-secure-grub/handlers/main.yaml b/roles/config-secure-grub/handlers/main.yaml
new file mode 100644
index 0000000..8a93e00
--- /dev/null
+++ b/roles/config-secure-grub/handlers/main.yaml
@@ -0,0 +1,4 @@
+---
+# update grub
+- name: grub register
+  command: update-grub
\ No newline at end of file
diff --git a/roles/config-secure-grub/tasks/main.yaml b/roles/config-secure-grub/tasks/main.yaml
new file mode 100644
index 0000000..07b1630
--- /dev/null
+++ b/roles/config-secure-grub/tasks/main.yaml
@@ -0,0 +1,13 @@
+#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+# Secure GRUB edition with password
+# paso1 - Proteger grub
+- name: GRUB password boot protection
+  blockinfile:
+    path: /etc/grub.d/40_custom
+    block: |
+      set superusers="{{ user_grub }}"
+      password_pbkdf2 {{ user_grub }} {{ code_grub }}
+  notify: grub register
+  tags: 
+  - grub-password
+#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/roles/config-secure-grub/vars/main.yaml b/roles/config-secure-grub/vars/main.yaml
new file mode 100644
index 0000000..52c9b80
--- /dev/null
+++ b/roles/config-secure-grub/vars/main.yaml
@@ -0,0 +1,3 @@
+---
+user_grub: admin
+code_grub: grub.pbkdf2.sha512.10000.C91C8756466E7DB535C77DB7FBDBF3D33A39A0712DE3A9AFD38BE2229139E86F23C4E007E6B76DDFDBBE4B2B32764B4EFFECF208C70BA9FECC6BB3FF68A6BA05.8EA3857B795AF29FF5C6E003E31EC4D79B84813175C7A56A8A12F3F30A19B501D7127C0307277FB37073EE0246BCFDA9BD4EDDC3A1EE8176D25CD37B7FB07AF7