diff --git a/rai/core_test/block_store.cpp b/rai/core_test/block_store.cpp
index 2361f98e..3f9389a5 100644
--- a/rai/core_test/block_store.cpp
+++ b/rai/core_test/block_store.cpp
@@ -483,6 +483,7 @@ TEST (block_store, DISABLED_already_open) // File can be shared
 {
 	auto path (rai::unique_path ());
 	boost::filesystem::create_directories (path.parent_path ());
+	boost::filesystem::permissions (path.parent_path (), boost::filesystem::owner_all);
 	std::ofstream file;
 	file.open (path.string ().c_str ());
 	ASSERT_TRUE (file.is_open ());
diff --git a/rai/lib/CMakeLists.txt b/rai/lib/CMakeLists.txt
index 3f93994e..f2a460c3 100644
--- a/rai/lib/CMakeLists.txt
+++ b/rai/lib/CMakeLists.txt
@@ -1,11 +1,11 @@
 if (${CMAKE_SYSTEM_NAME} MATCHES "Darwin")
-	set (platform_sources plat/default/priority.cpp)
+	set (platform_sources plat/default/priority.cpp plat/posix/perms.cpp)
 elseif (${CMAKE_SYSTEM_NAME} MATCHES "Windows")
-	set (platform_sources plat/windows/priority.cpp)
+	set (platform_sources plat/windows/priority.cpp plat/windows/perms.cpp)
 elseif (${CMAKE_SYSTEM_NAME} MATCHES "Linux")
-	set (platform_sources plat/linux/priority.cpp)
+	set (platform_sources plat/linux/priority.cpp plat/posix/perms.cpp)
 elseif (${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD")
-	set (platform_sources plat/default/priority.cpp)
+	set (platform_sources plat/default/priority.cpp plat/posix/perms.cpp)
 else ()
 	error ("Unknown platform: ${CMAKE_SYSTEM_NAME}")
 endif ()
diff --git a/rai/lib/plat/posix/perms.cpp b/rai/lib/plat/posix/perms.cpp
new file mode 100644
index 00000000..5e993cc1
--- /dev/null
+++ b/rai/lib/plat/posix/perms.cpp
@@ -0,0 +1,9 @@
+#include <rai/lib/utility.hpp>
+
+#include <sys/stat.h>
+#include <sys/types.h>
+
+void rai::set_umask ()
+{
+	umask (077);
+}
diff --git a/rai/lib/plat/windows/perms.cpp b/rai/lib/plat/windows/perms.cpp
new file mode 100644
index 00000000..a09a2602
--- /dev/null
+++ b/rai/lib/plat/windows/perms.cpp
@@ -0,0 +1,14 @@
+#include <assert.h>
+#include <rai/lib/utility.hpp>
+
+#include <io.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+void rai::set_umask ()
+{
+	int oldMode;
+
+	auto result (_umask_s (_S_IWRITE | _S_IREAD, &oldMode));
+	assert (result == 0);
+}
diff --git a/rai/lib/utility.hpp b/rai/lib/utility.hpp
index 30c8069d..2972a5dd 100644
--- a/rai/lib/utility.hpp
+++ b/rai/lib/utility.hpp
@@ -9,6 +9,7 @@ namespace rai
 {
 // Lower priority of calling work generating thread
 void work_thread_reprioritize ();
+void set_umask ();
 template <typename... T>
 class observer_set
 {
diff --git a/rai/node/lmdb.cpp b/rai/node/lmdb.cpp
index a4535966..54684fdd 100644
--- a/rai/node/lmdb.cpp
+++ b/rai/node/lmdb.cpp
@@ -14,6 +14,7 @@ rai::mdb_env::mdb_env (bool & error_a, boost::filesystem::path const & path_a, i
 	if (path_a.has_parent_path ())
 	{
 		boost::filesystem::create_directories (path_a.parent_path (), error);
+		boost::filesystem::permissions (path_a.parent_path (), boost::filesystem::owner_all);
 		if (!error)
 		{
 			auto status1 (mdb_env_create (&environment));
diff --git a/rai/node/node.cpp b/rai/node/node.cpp
index a7689a6d..8d054c2d 100644
--- a/rai/node/node.cpp
+++ b/rai/node/node.cpp
@@ -2443,6 +2443,7 @@ void rai::node::backup_wallet ()
 	{
 		auto backup_path (application_path / "backup");
 		boost::filesystem::create_directories (backup_path);
+		boost::filesystem::permissions (backup_path, boost::filesystem::owner_all);
 		i->second->store.write_backup (transaction, backup_path / (i->first.to_string () + ".json"));
 	}
 	auto this_l (shared ());
@@ -4116,6 +4117,7 @@ alarm (*service),
 work (1, nullptr)
 {
 	boost::filesystem::create_directories (path);
+	boost::filesystem::permissions (path, boost::filesystem::owner_all);
 	logging.max_size = std::numeric_limits<std::uintmax_t>::max ();
 	logging.init (path);
 	node = std::make_shared<rai::node> (init, *service, 24000, path, alarm, logging, work);
diff --git a/rai/rai_node/daemon.cpp b/rai/rai_node/daemon.cpp
index 181aac00..9f830c2d 100644
--- a/rai/rai_node/daemon.cpp
+++ b/rai/rai_node/daemon.cpp
@@ -96,6 +96,7 @@ bool rai_daemon::daemon_config::upgrade_json (unsigned version_a, boost::propert
 void rai_daemon::daemon::run (boost::filesystem::path const & data_path)
 {
 	boost::filesystem::create_directories (data_path);
+	boost::filesystem::permissions (data_path, boost::filesystem::owner_all);
 	rai_daemon::daemon_config config (data_path);
 	auto config_path ((data_path / "config.json"));
 	std::fstream config_file;
diff --git a/rai/rai_node/entry.cpp b/rai/rai_node/entry.cpp
index 2e6fd09f..efd0f5b8 100644
--- a/rai/rai_node/entry.cpp
+++ b/rai/rai_node/entry.cpp
@@ -1,3 +1,4 @@
+#include <rai/lib/utility.hpp>
 #include <rai/node/cli.hpp>
 #include <rai/node/node.hpp>
 #include <rai/node/testing.hpp>
@@ -10,6 +11,8 @@
 
 int main (int argc, char * const * argv)
 {
+	rai::set_umask ();
+
 	boost::program_options::options_description description ("Command line options");
 	rai::add_node_options (description);
 
diff --git a/rai/rai_wallet/entry.cpp b/rai/rai_wallet/entry.cpp
index c3eb88bf..ad9d9692 100644
--- a/rai/rai_wallet/entry.cpp
+++ b/rai/rai_wallet/entry.cpp
@@ -191,6 +191,7 @@ int run_wallet (QApplication & application, int argc, char * const * argv, boost
 {
 	rai_qt::eventloop_processor processor;
 	boost::filesystem::create_directories (data_path);
+	boost::filesystem::permissions (data_path, boost::filesystem::owner_all);
 	QPixmap pixmap (":/logo.png");
 	QSplashScreen * splash = new QSplashScreen (pixmap);
 	splash->show ();
@@ -285,6 +286,8 @@ int run_wallet (QApplication & application, int argc, char * const * argv, boost
 
 int main (int argc, char * const * argv)
 {
+	rai::set_umask ();
+
 	try
 	{
 		QApplication application (argc, const_cast<char **> (argv));