diff --git a/pkg/acme/directoryStorage.go b/pkg/acme/directoryStorage.go
index c2e563650..0a1218b7b 100644
--- a/pkg/acme/directoryStorage.go
+++ b/pkg/acme/directoryStorage.go
@@ -34,8 +34,7 @@ func (d directoryStorage) accountKeyFile(acmeHost string) string {
 	return filepath.Join(d.accountDirectory(acmeHost), "account.key")
 }
 
-// TODO: probably lock these down more
-const perms os.FileMode = 0644
+const perms os.FileMode = 0600
 const dirPerms os.FileMode = 0700
 
 func (d directoryStorage) GetCertificate(name string) (*certificate.Resource, error) {