diff --git a/debian/changelog b/debian/changelog
index 8fb03419b..993b0d03c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-linux-2.6 (2.6.32-9) unstable; urgency=low
+linux-2.6 (2.6.32-9) UNRELEASED; urgency=low
 
   [ Ben Hutchings ]
   * Do not build obsolete lgs8gl5 driver
@@ -7,6 +7,9 @@ linux-2.6 (2.6.32-9) unstable; urgency=low
   [ maximilian attems]
   * Postinst don't refercence k-p related manpage. (Closes: #542208)
 
+  [ Bastian Blank ]
+  * Restrict access to sensitive SysRq keys by default.
+
  -- Ben Hutchings <ben@decadent.org.uk>  Fri, 12 Feb 2010 02:59:33 +0000
 
 linux-2.6 (2.6.32-8) unstable; urgency=high
diff --git a/debian/config/config b/debian/config/config
index cfebee422..f7093629b 100644
--- a/debian/config/config
+++ b/debian/config/config
@@ -3279,6 +3279,8 @@ CONFIG_PRINTK_TIME=y
 CONFIG_ENABLE_WARN_DEPRECATED=y
 CONFIG_ENABLE_MUST_CHECK=y
 CONFIG_MAGIC_SYSRQ=y
+#. everything except {DUMP SIGNAL}
+CONFIG_MAGIC_SYSRQ_DEFAULT_MASK=0x01b6
 CONFIG_STRIP_ASM_SYMS=y
 CONFIG_UNUSED_SYMBOLS=y
 CONFIG_DEBUG_FS=y
diff --git a/debian/patches/debian/sysrq-mask.patch b/debian/patches/debian/sysrq-mask.patch
new file mode 100644
index 000000000..6afc7792c
--- /dev/null
+++ b/debian/patches/debian/sysrq-mask.patch
@@ -0,0 +1,32 @@
+diff --git a/drivers/char/sysrq.c b/drivers/char/sysrq.c
+index 44203ff..964bab1 100644
+--- a/drivers/char/sysrq.c
++++ b/drivers/char/sysrq.c
+@@ -43,7 +43,7 @@
+ #include <asm/irq_regs.h>
+ 
+ /* Whether we react on sysrq keys or just ignore them */
+-int __read_mostly __sysrq_enabled = 1;
++int __read_mostly __sysrq_enabled = CONFIG_MAGIC_SYSRQ_DEFAULT_MASK;
+ 
+ static int __read_mostly sysrq_always_enabled;
+ 
+diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
+index 234ceb1..415a834 100644
+--- a/lib/Kconfig.debug
++++ b/lib/Kconfig.debug
+@@ -50,6 +50,14 @@ config MAGIC_SYSRQ
+ 	  keys are documented in <file:Documentation/sysrq.txt>. Don't say Y
+ 	  unless you really know what this hack does.
+ 
++config MAGIC_SYSRQ_DEFAULT_MASK
++	hex "Default mask for Magic SysRq keys on the console"
++	depends on MAGIC_SYSRQ
++	default 1
++	help
++	  Specifies the default mask for the allowed SysRq keys.  This can be
++	  used to disable several sensitive keys by default.
++
+ config STRIP_ASM_SYMS
+ 	bool "Strip assembler-generated symbols during link"
+ 	default n
diff --git a/debian/patches/series/9 b/debian/patches/series/9
index 3428d99a3..e97973a63 100644
--- a/debian/patches/series/9
+++ b/debian/patches/series/9
@@ -1 +1,2 @@
 + bugfix/all/cxusb-dont-select-lgs8gl5.patch
++ debian/sysrq-mask.patch