diff --git a/cmd/bd/setup/utils.go b/cmd/bd/setup/utils.go
index 87c18c47..788a051f 100644
--- a/cmd/bd/setup/utils.go
+++ b/cmd/bd/setup/utils.go
@@ -31,8 +31,8 @@ func atomicWriteFile(path string, data []byte) error {
 		return fmt.Errorf("close temp file: %w", err)
 	}
 
-	// Set permissions to 0644
-	if err := os.Chmod(tmpPath, 0644); err != nil {
+	// Set permissions to 0600 (owner read/write only)
+	if err := os.Chmod(tmpPath, 0600); err != nil {
 		_ = os.Remove(tmpPath) // Best effort cleanup
 		return fmt.Errorf("set permissions: %w", err)
 	}
diff --git a/cmd/bd/setup/utils_test.go b/cmd/bd/setup/utils_test.go
index 345fb012..e5569584 100644
--- a/cmd/bd/setup/utils_test.go
+++ b/cmd/bd/setup/utils_test.go
@@ -35,8 +35,8 @@ func TestAtomicWriteFile(t *testing.T) {
 	}
 
 	mode := info.Mode()
-	if mode.Perm() != 0644 {
-		t.Errorf("file permissions mismatch: got %o, want %o", mode.Perm(), 0644)
+	if mode.Perm() != 0600 {
+		t.Errorf("file permissions mismatch: got %o, want %o", mode.Perm(), 0600)
 	}
 
 	// Test overwriting existing file