diff --git a/packages/server/src/utils/index.ts b/packages/server/src/utils/index.ts
index 2eeeb5b0eb6..3b23e184685 100644
--- a/packages/server/src/utils/index.ts
+++ b/packages/server/src/utils/index.ts
@@ -1584,7 +1584,17 @@ export const getEncryptionKey = async (): Promise<string> => {
         const defaultLocation = process.env.SECRETKEY_PATH
             ? path.join(process.env.SECRETKEY_PATH, 'encryption.key')
             : path.join(getUserHome(), '.flowise', 'encryption.key')
-        await fs.promises.writeFile(defaultLocation, encryptKey)
+        await fs.promises.writeFile(defaultLocation, encryptKey, { mode: 0o600 })
+        // writeFile's `mode` only applies when the file is newly created; if a previous run left
+        // a file at the same path with a permissive mode, the mode is NOT downgraded. Explicit
+        // chmod after the write ensures 0o600 regardless of pre-existing state. Best-effort: a
+        // chmod failure on non-POSIX filesystems shouldn't block key generation.
+        try {
+            await fs.promises.chmod(defaultLocation, 0o600)
+        } catch (chmodError) {
+            // Non-fatal: log but don't fail. Pre-existing files on POSIX systems will already be
+            // chmodded; non-POSIX (Windows) filesystems silently ignore POSIX modes anyway.
+        }
         return encryptKey
     }
 }