diff --git a/debian/postinst b/debian/postinst
index 26279bce7..4705b8df4 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -28,9 +28,23 @@ if [ "$1" = configure ]; then
         set -e
         COLLECTIONS=true
     fi
+
+    if [[ -f /etc/crowdsec/local_api_credentials.yaml ]] ; then
+        chmod 600 /etc/crowdsec/local_api_credentials.yaml
+    fi
+
+    if [[ -f /etc/crowdsec/online_api_credentials.yaml ]]; then
+        chmod 600 /etc/crowdsec/online_api_credentials.yaml
+    fi
+    
     if [[ ! -f /etc/crowdsec/local_api_credentials.yaml ]] || [[ ! -f /etc/crowdsec/online_api_credentials.yaml ]]; then
-        touch /etc/crowdsec/local_api_credentials.yaml
-        touch /etc/crowdsec/online_api_credentials.yaml
+        if [[ ! -f /etc/crowdsec/local_api_credentials.yaml ]] ; then
+            install -m 600 /dev/null  /etc/crowdsec/local_api_credentials.yaml
+        fi
+        if [[ ! -f /etc/crowdsec/online_api_credentials.yaml ]] ; then
+            install -m 600 /dev/null  /etc/crowdsec/online_api_credentials.yaml
+        fi
+
         db_input medium crowdsec/lapi || true
         db_go || true
         
diff --git a/rpm/SPECS/crowdsec.spec b/rpm/SPECS/crowdsec.spec
index 9576baf6f..11d3ff0e2 100644
--- a/rpm/SPECS/crowdsec.spec
+++ b/rpm/SPECS/crowdsec.spec
@@ -155,8 +155,8 @@ if [ $1 == 1 ]; then
         set +e
     fi
     if [ ! -f "%{_sysconfdir}/crowdsec/online_api_credentials.yaml" ] && [ ! -f "%{_sysconfdir}/crowdsec/local_api_credentials.yaml" ] ; then
-        touch %{_sysconfdir}/crowdsec/online_api_credentials.yaml
-        touch %{_sysconfdir}/crowdsec/local_api_credentials.yaml
+        install -m 600 /dev/null %{_sysconfdir}/crowdsec/online_api_credentials.yaml
+        install -m 600 /dev/null %{_sysconfdir}/crowdsec/local_api_credentials.yaml
         cscli capi register
         cscli machines add -a
     fi
@@ -180,6 +180,13 @@ elif [ $1 == 2 ] && [ -d /var/lib/crowdsec/backup ]; then
        rm -rf /var/lib/crowdsec/backup
     fi
 
+    if [[ -f %{_sysconfdir}/crowdsec/online_api_credentials.yaml ]] ; then
+        chmod 600 %{_sysconfdir}/crowdsec/online_api_credentials.yaml
+    fi
+    
+    if [[ -f %{_sysconfdir}/crowdsec/local_api_credentials.yaml ]] ; then
+        chmod 600 %{_sysconfdir}/crowdsec/local_api_credentials.yaml
+    fi
 fi
 
 %systemd_post %{name}.service