diff --git a/lib/gems/pending/appliance_console/key_configuration.rb b/lib/gems/pending/appliance_console/key_configuration.rb
index cd06f2478..53514b435 100644
--- a/lib/gems/pending/appliance_console/key_configuration.rb
+++ b/lib/gems/pending/appliance_console/key_configuration.rb
@@ -66,10 +66,13 @@ def activate
     end
 
     def save_new_key
-      FileUtils.mv(NEW_KEY_FILE, KEY_FILE, :force => true)
-    rescue => e
-      say("Failed to overwrite original key, original key kept. #{e.message}")
-      return false
+      begin
+        FileUtils.mv(NEW_KEY_FILE, KEY_FILE, :force => true)
+      rescue => e
+        say("Failed to overwrite original key, original key kept. #{e.message}")
+        return false
+      end
+      FileUtils.chmod(0o400, KEY_FILE)
     end
 
     def remove_new_key_if_any
diff --git a/spec/appliance_console/key_configuration_spec.rb b/spec/appliance_console/key_configuration_spec.rb
index e837d9295..32ce444f4 100644
--- a/spec/appliance_console/key_configuration_spec.rb
+++ b/spec/appliance_console/key_configuration_spec.rb
@@ -65,6 +65,7 @@
           v2_exists(true)  # after downloaded
           expect(Net::SCP).to receive(:start).with(host, "root", :password => password)
           expect(FileUtils).to receive(:mv).with(/v2_key\.tmp/, /v2_key$/, :force=>true).and_return(true)
+          expect(FileUtils).to receive(:chmod).with(0o400, /v2_key/).and_return(["v2_key"])
           expect(subject.activate).to be_truthy
         end
 
@@ -73,6 +74,7 @@
           v2_exists(false)
           expect(MiqPassword).to receive(:generate_symmetric).and_return(154)
           expect(FileUtils).to receive(:mv).with(/v2_key\.tmp/, /v2_key$/, :force=>true).and_return(true)
+          expect(FileUtils).to receive(:chmod).with(0o400, /v2_key/).and_return(["v2_key"])
           expect(subject.activate).to be_truthy
         end
       end
@@ -86,6 +88,7 @@
           expect(scp).to receive(:download!).with(subject.key_path, /v2_key/).and_return(:result)
           expect(Net::SCP).to receive(:start).with(host, "root", :password => password).and_yield(scp).and_return(true)
           expect(FileUtils).to receive(:mv).with(/v2_key\.tmp/, /v2_key$/, :force=>true).and_return(true)
+          expect(FileUtils).to receive(:chmod).with(0o400, /v2_key/).and_return(["v2_key"])
           expect(subject.activate).to be_truthy
         end