Ubuntu 20.04 LTS 'Focal Fossa' Lands, and It's a Meaty Upgrade
Canonical's new LTS release ships WireGuard support, Kernel Self Protection, hardened Secure Boot, and FIDO passwordless login, with support through 2025.
Canonical dropped Ubuntu 20.04 LTS today, and if you run servers, desktops, or a pile of both, this is the release to pay attention to. It’s code-named “Focal Fossa,” it carries standard support through April 2025, and it’s packed with more security-relevant plumbing than any Ubuntu release in recent memory.
The headline for me is built-in WireGuard support. If you’ve been rolling your own VPN setup with OpenVPN or IPsec and gritting your teeth through the config files, WireGuard is a breath of fresh air: a much smaller codebase, modern cryptography by default, and noticeably less fuss to get running. Having it supported out of the box in an LTS release means it’s now a reasonable default choice for new deployments rather than something you had to bolt on yourself.
Security Gets a Real Upgrade
Kernel Self Protection features are also part of this release. These are kernel-hardening mechanisms aimed at making it harder for attackers to exploit memory corruption bugs and other classic kernel vulnerabilities. It’s not the kind of thing that shows up in a flashy feature list, but it’s the kind of unglamorous hardening that actually reduces real-world attack surface over time.
Secure Boot also got attention here, specifically hardening against rootkits. Secure Boot has existed on Ubuntu for a while, but rootkits that try to tamper with the boot chain remain a persistent threat, especially on machines that see a lot of hands or travel through untrusted networks. Tightening that chain of trust is a good sign that Canonical is treating boot-level security as an ongoing project rather than a box that got checked years ago.
And then there’s FIDO passwordless authentication support. Passwords are, frankly, garbage as a security model, and FIDO-based authentication (think hardware security keys or platform authenticators) is one of the more promising paths away from them. Seeing it land in a mainstream Linux distribution’s LTS release, rather than staying a bleeding-edge experiment, is a good signal for where authentication is heading more broadly.
Why This Matters if You’re Not Setting Up Servers Today
Even if you’re not about to spin up new infrastructure this week, 20.04 matters because LTS releases are what enterprises, cloud images, and container base images gravitate toward for years. A huge amount of the Ubuntu instances you’ll interact with over the next few years, whether directly or via some SaaS product running underneath, will trace back to this release. The security posture Canonical bakes in here effectively becomes the security posture of a large slice of the internet’s backend.
My plan is to hold off upgrading my daily driver for a few weeks and let the inevitable early-release rough edges get sanded down, but I’ll likely start moving new server deployments to 20.04 sooner rather than later, mostly to get WireGuard and the kernel hardening without extra setup work. If you manage infrastructure that’s still on 18.04, now’s a good time to start planning the migration path, even if you’re not sprinting to do it this week.