Overview of security features¶
This page provides a high-level overview of the security features in Ubuntu, their default configurations and rationale for having them enabled or disabled.
area |
feature |
20.04 LTS |
22.04 LTS |
24.04 LTS |
24.10 |
25.04 |
---|---|---|---|---|---|---|
2.13.3 |
3.0.4 |
3.0.7 |
3.0.7 |
3.0.7 |
||
– |
– |
kernel & userspace |
kernel & userspace |
kernel & userspace |
||
universe |
universe |
universe |
universe |
universe |
||
kernel |
kernel |
kernel |
kernel |
kernel |
||
kernel |
kernel |
kernel |
kernel |
kernel |
||
kernel |
kernel |
kernel |
kernel |
kernel |
||
kernel & userspace (default on server) |
kernel & userspace (default on server) |
kernel & userspace (default on server) |
kernel & userspace (default on server) |
kernel & userspace (default on server) |
||
LUKS + TPM |
LUKS + TPM |
LUKS + TPM |
LUKS + TPM |
LUKS + TPM |
||
main installer |
main installer |
main installer |
main installer |
main installer |
||
ZFS dataset encryption available, encrypted Home (eCryptfs) and ext4 encryption (fscrypt) available in universe |
ZFS dataset encryption available, encrypted Home (eCryptfs) and ext4 encryption (fscrypt) available in universe |
ZFS dataset encryption available, encrypted Home (eCryptfs) and ext4 encryption (fscrypt) available in universe |
ZFS dataset encryption available, encrypted Home (eCryptfs) and ext4 encryption (fscrypt) available in universe |
ZFS dataset encryption available, encrypted Home (eCryptfs) and ext4 encryption (fscrypt) available in universe |
||
policy |
policy |
policy |
policy |
policy |
||
kernel & sysctl |
kernel & sysctl |
kernel & sysctl |
kernel & sysctl |
kernel & sysctl |
||
ufw |
ufw |
ufw |
ufw |
ufw |
||
sha512 |
yescrypt |
yescrypt |
yescrypt |
yescrypt |
||
pollinate |
pollinate |
pollinate |
pollinate |
pollinate |
||
policy |
policy |
policy |
policy |
policy |
||
kernel |
kernel |
kernel |
kernel |
kernel |
||
kernel |
kernel |
kernel |
kernel |
kernel |
||
kernel & sysctl |
kernel & sysctl |
kernel & sysctl |
kernel & sysctl |
kernel & sysctl |
||
kernel & sysctl |
kernel & sysctl |
kernel & sysctl |
kernel & sysctl |
kernel & sysctl |
||
gcc patch |
gcc patch |
gcc patch |
gcc patch |
gcc patch |
||
glibc |
glibc |
glibc |
glibc |
glibc |
||
glibc |
glibc |
glibc |
glibc |
glibc |
||
kernel |
kernel |
kernel |
kernel |
kernel |
||
kernel |
kernel |
kernel |
kernel |
kernel |
||
kernel |
kernel |
kernel |
kernel |
kernel |
||
kernel |
kernel |
kernel |
kernel |
kernel |
||
kernel |
kernel |
kernel |
kernel |
kernel |
||
gcc patch (amd64, ppc64el, s390x), package list for others |
gcc patch (amd64, ppc64el, s390x), package list for others |
gcc patch (amd64, ppc64el, s390x), package list for others |
gcc patch (amd64, ppc64el, s390x), package list for others |
gcc patch (amd64, ppc64el, s390x), package list for others |
||
gcc patch |
gcc patch |
gcc patch |
gcc patch |
gcc patch |
||
gcc patch |
gcc patch |
gcc patch |
gcc patch |
gcc patch |
||
gcc patch (amd64, ppc64el, s390x), package list for others |
gcc patch (amd64, ppc64el, s390x), package list for others |
gcc patch (amd64, ppc64el, s390x), package list for others |
gcc patch (amd64, ppc64el, s390x), package list for others |
gcc patch (amd64, ppc64el, s390x), package list for others |
||
gcc patch (i386, amd64, ppc64el, s390x) |
gcc patch (i386, amd64, ppc64el, s390x) |
gcc patch (i386, amd64, ppc64el, s390x) |
gcc patch (i386, amd64, ppc64el, s390x) |
gcc patch (i386, amd64, ppc64el, s390x) |
||
gcc patch (i386, amd64) |
gcc patch (i386, amd64) |
gcc patch (i386, amd64) |
gcc patch (i386, amd64) |
gcc patch (i386, amd64) |
||
PAE, ia32 partial-NX-emulation |
PAE, ia32 partial-NX-emulation |
PAE, ia32 partial-NX-emulation |
PAE, ia32 partial-NX-emulation |
PAE, ia32 partial-NX-emulation |
||
kernel |
kernel |
kernel |
kernel |
kernel |
||
kernel |
kernel |
kernel |
kernel |
kernel |
||
kernel |
kernel |
kernel |
kernel |
kernel |
||
kernel |
kernel |
kernel |
kernel |
kernel |
||
integrity only, no confidentiality |
integrity only, no confidentiality |
integrity only, no confidentiality |
integrity only, no confidentiality |
integrity only, no confidentiality |
||
kernel |
kernel |
kernel |
kernel |
kernel |
||
sysctl |
sysctl |
sysctl |
sysctl |
sysctl |
||
kernel |
kernel |
kernel |
kernel |
kernel |
||
kernel |
kernel |
kernel |
kernel |
kernel |
||
kernel |
kernel |
kernel |
kernel |
kernel |
||
kernel |
kernel |
kernel |
kernel |
kernel |
||
kernel (i386, amd64, arm64, and s390 only) |
kernel (i386, amd64, arm64, and s390 only) |
kernel (i386, amd64, arm64, and s390 only) |
kernel (i386, amd64, arm64, and s390 only) |
kernel (i386, amd64, arm64, and s390 only) |
||
kernel |
kernel |
kernel |
kernel |
kernel |
||
sysctl |
kernel |
kernel |
kernel |
kernel |
||
sysctl |
sysctl |
sysctl |
sysctl |
sysctl |
||
amd64, kernel signature enforcement |
amd64, kernel signature enforcement |
amd64, kernel signature enforcement |
amd64, kernel signature enforcement |
amd64, kernel signature enforcement |
||
kernel & userspace |
kernel & userspace |
kernel & userspace |
kernel & userspace |
kernel & userspace |
||
kernel & userspace |
kernel & userspace |
kernel & userspace |
kernel & userspace |
kernel & userspace |
||
kernel & userspace |
kernel & userspace |
kernel & userspace |
kernel & userspace |
kernel & userspace |
||
kernel & userspace |
kernel & userspace |
kernel & userspace |
kernel & userspace |
kernel & userspace |
||
20.04 LTS Kernel |
22.04 LTS Kernel |
24.04 LTS Kernel |
– |
– |