Ubuntu 26.04 security teasers

Ubuntu 26.04 LTS is shaping up as Canonical’s next long-support release with security changes turned on by default, not left to manual setup. (ubuntu.com) Canonical said on April 10 that Ubuntu 26.04 LTS will ship with production-ready Trusted Platform Module-backed full-disk encryption, post-quantum-aware cryptographic defaults, stricter web-server Transport Layer Security settings, and Rust-based replacements for some core tools. (ubuntu.com) Ubuntu’s release notes list April 23, 2026, as the 26.04 LTS release date and say the release gets five years of standard support through April 2031, with ten years available through Ubuntu Pro. (documentation.ubuntu.com) Full-disk encryption locks the contents of a drive so stolen hardware cannot be read, and a Trusted Platform Module stores the unlock secret in a chip tied to that machine. Canonical said Ubuntu 26.04 moves that setup from an experimental option to general availability. (ubuntu.com) Canonical said the new Security Center will let administrators check encryption state, recovery options, Secure Boot status, and disk-protection settings after deployment instead of only during installation. (ubuntu.com) Post-quantum cryptography is a new set of algorithms meant to hold up if large quantum computers can break today’s public-key systems. Ubuntu engineers said the 26.04 cycle brings OpenSSL 3.5 support for NIST’s 2024 standards, including ML-KEM, ML-DSA, and SLH-DSA. (discourse.ubuntu.com) In Canonical’s example, a `curl` connection from Ubuntu 25.10 to Cloudflare’s test endpoint negotiated `X25519MLKEM768`, while Ubuntu 24.04 used `X25519` alone. That is the shift Canonical is carrying into the 26.04 long-term support release. (discourse.ubuntu.com) Confidential computing protects data while it is being processed in memory, not just when it is stored or sent over a network. Canonical says Ubuntu supports Advanced Micro Devices Secure Encrypted Virtualization-Secure Nested Paging and Intel Trust Domain Extensions on both host and guest systems for confidential virtual machines. (ubuntu.com) Canonical has also kept pushing memory-safe code into security-sensitive parts of the system. Ubuntu 25.10 made `sudo-rs` and `rust-coreutils` the defaults, and the Ubuntu 26.04 security preview says that effort continues in the long-term support release. (ubuntu.com 1) (ubuntu.com 2) Canonical tied that Rust shift to a long history of memory-corruption bugs in privileged software, citing the `sudo` flaw tracked as CVE-2021-3156, which existed from 2011 to 2021. The company said the traditional GNU and `sudo` implementations still remain available as fallback options. (ubuntu.com) There are tradeoffs and compatibility checks. Canonical said TPM-backed encryption is incompatible with Absolute, formerly Computrace, and some hardware may still need kernel modules that are unavailable in the TPM-secured kernel path. (ubuntu.com 1) (ubuntu.com 2) For operators running cameras, access control, log collectors, or security monitoring stacks on Ubuntu servers, the practical change is that more hardening will arrive with the operating system’s defaults. Ubuntu 26.04 does not just add another tool; it changes the baseline that long-lived deployments inherit. (ubuntu.com)