diff --git a/mender-convert-modify b/mender-convert-modify
index 89e3b4c..6a1140f 100755
--- a/mender-convert-modify
+++ b/mender-convert-modify
@@ -193,6 +193,7 @@ cat <<- EOF > work/mender.conf.data
 EOF
 
 run_and_log_cmd "sudo cp work/mender.conf.data work/rootfs/data/mender/mender.conf"
+run_and_log_cmd "sudo chmod 600 work/rootfs/data/mender/mender.conf"
 
 if [ -z "${MENDER_DEVICE_TYPE}" ]; then
   # Observed systems who do not have this file, e.g images generated with mkosi
diff --git a/scripts/bootstrap-rootfs-overlay-demo-server.sh b/scripts/bootstrap-rootfs-overlay-demo-server.sh
index 3e72384..18cb251 100755
--- a/scripts/bootstrap-rootfs-overlay-demo-server.sh
+++ b/scripts/bootstrap-rootfs-overlay-demo-server.sh
@@ -62,6 +62,9 @@ cat <<- EOF > ${output_dir}/etc/mender/mender.conf
   "UpdatePollIntervalSeconds": 5
 }
 EOF
+
+chmod 600 ${output_dir}/etc/mender/mender.conf
+
 cat <<- EOF > ${output_dir}/etc/hosts
 127.0.0.1	localhost
 
diff --git a/scripts/bootstrap-rootfs-overlay-hosted-server.sh b/scripts/bootstrap-rootfs-overlay-hosted-server.sh
index 25ac03b..355b56c 100755
--- a/scripts/bootstrap-rootfs-overlay-hosted-server.sh
+++ b/scripts/bootstrap-rootfs-overlay-hosted-server.sh
@@ -64,6 +64,8 @@ cat <<- EOF > ${output_dir}/etc/mender/mender.conf
 }
 EOF
 
+chmod 600 ${output_dir}/etc/mender/mender.conf
+
 sudo chown -R root.root ${output_dir}
 
 echo "Configuration file for using Hosted Mender written to: ${output_dir}/etc/mender"
diff --git a/scripts/bootstrap-rootfs-overlay-production-server.sh b/scripts/bootstrap-rootfs-overlay-production-server.sh
index 40a5030..cca6e5a 100755
--- a/scripts/bootstrap-rootfs-overlay-production-server.sh
+++ b/scripts/bootstrap-rootfs-overlay-production-server.sh
@@ -77,6 +77,8 @@ cat <<- EOF >> ${output_dir}/etc/mender/mender.conf
 }
 EOF
 
+chmod 600 ${output_dir}/etc/mender/mender.conf
+
 sudo chown -R root.root ${output_dir}
 
 echo "Configuration file for using Production Mender Server written to: ${output_dir}/etc/mender"