diff -Nru livecd-rootfs-2.408.67/debian/changelog livecd-rootfs-2.408.68/debian/changelog
--- livecd-rootfs-2.408.67/debian/changelog	2021-02-10 13:00:48.000000000 +0000
+++ livecd-rootfs-2.408.68/debian/changelog	2021-04-10 10:28:29.000000000 +0000
@@ -1,3 +1,13 @@
+livecd-rootfs (2.408.68) xenial; urgency=medium
+
+  [ Gauthier Jolly ]
+  * ubuntu-cpc: secure esp mountpoint (LP: #1881006)
+    Change mount option for ubuntu-cpc images from "defaults" to "umask=0077"
+    ESP partitions might contain sensitive data and non-root users shouldn't
+    have read access on it.
+
+ -- Robert C Jennings <robert.jennings@canonical.com>  Sat, 10 Apr 2021 05:28:29 -0500
+
 livecd-rootfs (2.408.67) xenial; urgency=medium
 
   * Revert "esp: install grub in ubuntu bootloader id path, instead of
diff -Nru livecd-rootfs-2.408.67/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary livecd-rootfs-2.408.68/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary
--- livecd-rootfs-2.408.67/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary	2021-02-10 12:59:36.000000000 +0000
+++ livecd-rootfs-2.408.68/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary	2021-04-10 10:28:16.000000000 +0000
@@ -49,7 +49,7 @@
     mount "${uefi_dev}" "$mountpoint"/boot/efi
 
     cat << EOF >> "mountpoint/etc/fstab"
-LABEL=UEFI	/boot/efi	vfat	defaults	0 1
+LABEL=UEFI	/boot/efi	vfat	umask=0077	0 1
 EOF
 }