I have been trying to achieve something similar on my system. Password protection in grub2 appears to be quite different from that in grub-legacy.
In grub2, authentication is activated by the lines (from the grub info manual, the section on security):
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.biglongstring
in the /boot/grub/grub.cfg file
The command grub-mkpasswd-pbkdf2 can be used to generate the password.
On debian systems, it is better to put those two lines in /etc/grub.d/40_custom to make sure that your changes remain after an `update-grub' command.
But, be advised that once you do this, all the menu entries in grub will be inaccessible until the password is supplied.
It would be nice to have a way of requiring a password only if it required to boot a non-default entry.