diff --git a/debian/changelog b/debian/changelog
index 4f4ac402..8e23fe60 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+livecd-rootfs (2.664.20) focal; urgency=medium
+
+  [ Gauthier Jolly ]
+  * ubuntu-cpc: secure esp mountpoint (LP: #1881006)
+    Change mount option for ubuntu-cpc images from "defaults" to "umask=0077"
+    ESP partitions might contain sensitive data and non-root users shouldn't
+    have read access on it.
+
+ -- Robert C Jennings <robert.jennings@canonical.com>  Sat, 10 Apr 2021 05:20:11 -0500
+
 livecd-rootfs (2.664.19) focal; urgency=medium
 
   [ Patrick Viafore ]
diff --git a/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary b/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary
index b16d281e..5295d45f 100755
--- a/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary
+++ b/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary
@@ -94,7 +94,7 @@ create_and_mount_uefi_partition() {
     mount "${uefi_dev}" "$mountpoint"/boot/efi
 
     cat << EOF >> "mountpoint/etc/fstab"
-LABEL=UEFI	/boot/efi	vfat	defaults	0 1
+LABEL=UEFI	/boot/efi	vfat	umask=0077	0 1
 EOF
 }