diff --git a/wireguard/tasks/main.yml b/wireguard/tasks/main.yml
index 62da7ca2dfdab949669056bbb492cf81c9a17033..9f5ccc62bb4a53c49a10d3dbd932c69c16db109f 100644
--- a/wireguard/tasks/main.yml
+++ b/wireguard/tasks/main.yml
@@ -5,7 +5,7 @@
 
 - name: ensure we have a private key
   shell:
-    cmd: "wg genkey | tee {{ item.key }}.key | wg pubkey > {{ item.key }}.pub"
+    cmd: "umask 077 && wg genkey | tee {{ item.key }}.key | wg pubkey > {{ item.key }}.pub"
     chdir: /etc/wireguard
     creates: "/etc/wireguard/{{ item.key }}.key"
   with_dict: "{{ wireguard_interfaces }}"
@@ -13,6 +13,14 @@
     - restart wireguard
   no_log: true
 
+- name: ensure the key is not accessible to users
+  file:
+    path: "/etc/wireguard/{{ item.key }}.key"
+    owner: root
+    group: root
+    mode: '0600'
+  with_dict: "{{ wireguard_interfaces }}"
+
 - name: get the pubkey
   slurp:
     src: "/etc/wireguard/{{ item.key }}.pub"