diff --git a/src/etc/one-context.d/loc-16-gen-env b/src/etc/one-context.d/loc-16-gen-env
index 372a483..52ca43c 100755
--- a/src/etc/one-context.d/loc-16-gen-env
+++ b/src/etc/one-context.d/loc-16-gen-env
@@ -8,6 +8,7 @@ if [ -n "$ONEGATE_TOKEN" ]; then
     TOKENTXT="$ONEGATE_TOKEN"
 fi
 
+umask 0377
 echo "export TOKENTXT=\"$TOKENTXT\"" > $ENV_FILE
 echo "export VMID=\"$VMID\"" >> $ENV_FILE
 echo "export ONEGATE_ENDPOINT=\"$ONEGATE_ENDPOINT\"" >> $ENV_FILE
@@ -28,5 +29,5 @@ function export_rc_vars
 export_rc_vars ${CONTEXT_FILE}
 
 chown root:root $ENV_FILE
-chmod a+r $ENV_FILE
+chmod 0400 $ENV_FILE
 
diff --git a/src/usr/sbin/one-contextd b/src/usr/sbin/one-contextd
index 15e251d..0a0b545 100755
--- a/src/usr/sbin/one-contextd
+++ b/src/usr/sbin/one-contextd
@@ -181,6 +181,8 @@ function get_new_context {
         log err 'Error: No contextualization found' 2
         exit 1
     fi
+
+    chmod 0400 "${CONTEXT_NEW}"
 }
 
 function check_context {