diff --git a/manifests/init.pp b/manifests/init.pp
index d4eead320..05bd9afc4 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1129,6 +1129,7 @@ running as a standalone service, or httpd for being run by a httpd server")
       ensure    => 'directory',
       owner     => $keystone_user,
       group     => $keystone_group,
+      mode      => '0600',
       subscribe => Anchor['keystone::install::end'],
     })
 
@@ -1137,6 +1138,7 @@ running as a standalone service, or httpd for being run by a httpd server")
       create_resources('file', $fernet_keys, {
           'owner'     => $keystone_user,
           'group'     => $keystone_group,
+          'mode'      => '0600',
           'subscribe' => 'Anchor[keystone::install::end]',
         }
       )
@@ -1162,6 +1164,7 @@ running as a standalone service, or httpd for being run by a httpd server")
       ensure    => 'directory',
       owner     => $keystone_user,
       group     => $keystone_group,
+      mode      => '0600',
       subscribe => Anchor['keystone::install::end'],
     })
 
@@ -1170,6 +1173,7 @@ running as a standalone service, or httpd for being run by a httpd server")
       create_resources('file', $credential_keys, {
           'owner'     => $keystone_user,
           'group'     => $keystone_group,
+          'mode'      => '0600',
           'subscribe' => 'Anchor[keystone::install::end]',
         }
       )
diff --git a/releasenotes/notes/permissions_on_keys_and_creds-9c0b9f56dfc1fd63.yaml b/releasenotes/notes/permissions_on_keys_and_creds-9c0b9f56dfc1fd63.yaml
new file mode 100644
index 000000000..97ca79cea
--- /dev/null
+++ b/releasenotes/notes/permissions_on_keys_and_creds-9c0b9f56dfc1fd63.yaml
@@ -0,0 +1,5 @@
+---
+security:
+  - Make the fernet key directory, fernet keys, credential
+    folder, and credentials have mode 0600. This ensures
+    that only the keystone user can read the keys.
diff --git a/spec/classes/keystone_spec.rb b/spec/classes/keystone_spec.rb
index a372e54c4..79bb0ddbd 100644
--- a/spec/classes/keystone_spec.rb
+++ b/spec/classes/keystone_spec.rb
@@ -907,6 +907,7 @@ describe 'keystone' do
         :ensure => 'directory',
         :owner  => params['keystone_user'],
         :group  => params['keystone_group'],
+        'mode'  => '0600',
       ) }
 
       it { is_expected.to contain_exec('keystone-manage credential_setup').with(
@@ -1004,6 +1005,7 @@ describe 'keystone' do
         :ensure => 'directory',
         :owner  => params['keystone_user'],
         :group  => params['keystone_group'],
+        :mode   => '0600',
       ) }
 
       it { is_expected.to contain_exec('keystone-manage fernet_setup').with(
@@ -1069,12 +1071,14 @@ describe 'keystone' do
       'content'   => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
       'owner'     => 'keystone',
       'owner'     => 'keystone',
+      'mode'      => '0600',
       'subscribe' => 'Anchor[keystone::install::end]',
     )}
     it { is_expected.to contain_file('/etc/keystone/fernet-keys/1').with(
       'content'   => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
       'owner'     => 'keystone',
       'owner'     => 'keystone',
+      'mode'      => '0600',
       'subscribe' => 'Anchor[keystone::install::end]',
     )}
   end