diff --git a/debian/control b/debian/control
index 0d6871a..3480c39 100644
--- a/debian/control
+++ b/debian/control
@@ -126,6 +126,9 @@ Description: enhances misc security settings
   * Restricts loading line disciplines to `CAP_SYS_MODULE`.
  .
   * Restricts the `userfaultfd()` syscall to root.
+ .
+  * Access to debugfs is restricted as it can contain a lot of sensitive
+ information.
  .
  Improve Entropy Collection
  .
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index 6104280..dc12cb2 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -66,3 +66,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
 ## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first.
 GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | str_replace "quiet" "")"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet loglevel=0"
+
+## Restrict access to debugfs since it can contain a lot of sensitive information.
+## https://lkml.org/lkml/2020/7/16/122
+## https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"