diff --git a/letsencrypt/account.py b/letsencrypt/account.py
index 4289a190e..12389ebfd 100644
--- a/letsencrypt/account.py
+++ b/letsencrypt/account.py
@@ -192,7 +192,8 @@ class AccountFileStorage(interfaces.AccountStorage):
         try:
             with open(self._regr_path(account_dir_path), "w") as regr_file:
                 regr_file.write(account.regr.json_dumps())
-            with open(self._key_path(account_dir_path), "w") as key_file:
+            with le_util.safe_open(self._key_path(account_dir_path),
+                                   "w", chmod=0o400) as key_file:
                 key_file.write(account.key.json_dumps())
             with open(self._metadata_path(account_dir_path), "w") as metadata_file:
                 metadata_file.write(account.meta.json_dumps())
diff --git a/letsencrypt/tests/account_test.py b/letsencrypt/tests/account_test.py
index 8c2464d34..bd34edc56 100644
--- a/letsencrypt/tests/account_test.py
+++ b/letsencrypt/tests/account_test.py
@@ -3,6 +3,7 @@ import datetime
 import os
 import pkg_resources
 import shutil
+import stat
 import tempfile
 import unittest
 
@@ -130,6 +131,8 @@ class AccountFileStorageTest(unittest.TestCase):
         for file_name in "regr.json", "meta.json", "private_key.json":
             self.assertTrue(os.path.exists(
                 os.path.join(account_path, file_name)))
+        self.assertEqual("0400", oct(os.stat(os.path.join(
+            account_path, "private_key.json"))[stat.ST_MODE] & 0o777))
 
         # restore
         self.assertEqual(self.acc, self.storage.load(self.acc.id))