diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index 346ea88..6104280 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -59,3 +59,10 @@ fi
 ## Requires linux-hardened kernel patch.
 ## https://github.com/anthraxx/linux-hardened
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
+
+## Prevent kernel info leaks in console during boot.
+## https://phabricator.whonix.org/T950
+## str_replace is provided by package helper-scripts.
+## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first.
+GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | str_replace "quiet" "")"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet loglevel=0"