Permissions for Sensitive Files — Passwords, Keys, and Secrets
Best practice permissions for files containing passwords, API keys, database credentials, SSL certificates, and other secrets on Linux systems.
Detailed Explanation
Securing Sensitive Files
Any file containing credentials, keys, or secrets must have restrictive permissions. Overly permissive files are a common finding in security audits.
Recommended Permissions by File Type
| File Type | Permission | Rationale |
|---|---|---|
| Private SSH keys | 600 |
SSH enforces this |
| SSL/TLS private keys | 600 |
Prevent key theft |
| SSL certificates | 644 |
Certificates are public |
| .env files | 600 |
Contains app secrets |
| Database config | 600 |
Contains credentials |
| API key files | 600 |
Prevent unauthorized API access |
| Password files (/etc/shadow) | 640 |
Root + shadow group only |
| Backup encryption keys | 400 |
Read-only, even for owner |
Application-Specific Files
# WordPress
chmod 600 wp-config.php
# Laravel / PHP
chmod 600 .env
# Node.js
chmod 600 .env
chmod 600 .env.production
# Docker
chmod 600 .docker/config.json # May contain registry credentials
# Kubernetes
chmod 600 ~/.kube/config # Contains cluster credentials
# AWS CLI
chmod 600 ~/.aws/credentials
chmod 600 ~/.aws/config
# GCP
chmod 600 ~/.config/gcloud/credentials.db
Ownership Matters Too
Permissions alone are not enough. The file must be owned by the correct user:
# Web application secrets should be owned by the web server user
chown www-data:www-data /var/www/app/.env
chmod 600 /var/www/app/.env
# Database config owned by the database service
chown mysql:mysql /etc/mysql/my.cnf
chmod 600 /etc/mysql/my.cnf
Finding Overly Permissive Files
# Find world-readable files in sensitive locations
find /etc -perm -o=r -type f 2>/dev/null
# Find world-writable files
find / -perm -o=w -type f 2>/dev/null
# Find SUID binaries (potential security risk)
find / -perm -4000 -type f 2>/dev/null
Use Case
Security engineers and DevOps teams use this reference when hardening servers, passing compliance audits (PCI-DSS, SOC 2, HIPAA), or setting up deployment pipelines. Ensuring correct permissions on sensitive files is a fundamental security control.
Try It — Linux Permission Reference
Related Topics
chmod 600 Explained — Owner-Only Read-Write
Common Permissions
SSH Key File Permissions — Complete Guide
SSH & Security
chmod 400 Explained — Owner Read-Only Permission
SSH & Security
Web Server File Permissions — Apache, Nginx, and PHP
Directory & Web
chmod 640 Explained — Owner Read-Write, Group Read-Only
Common Permissions