diff --git a/user_channel/passwd_mgr.cpp b/user_channel/passwd_mgr.cpp
index 5e0b30d..b2d32e8 100644
--- a/user_channel/passwd_mgr.cpp
+++ b/user_channel/passwd_mgr.cpp
@@ -39,6 +39,9 @@
 static const char* encryptKeyFileName = "/etc/key_file";
 static const size_t maxKeySize = 8;
 
+constexpr mode_t modeMask =
+    (S_ISUID | S_ISGID | S_ISVTX | S_IRWXU | S_IRWXG | S_IRWXO);
+
 #define META_PASSWD_SIG "=OPENBMC="
 
 /*
@@ -59,9 +62,31 @@
 
 PasswdMgr::PasswdMgr()
 {
+    restrictFilesPermission();
     initPasswordMap();
 }
 
+void PasswdMgr::restrictFilesPermission(void)
+{
+    struct stat st = {};
+    // Restrict file permission to owner read & write
+    if (stat(passwdFileName, &st) == 0)
+    {
+        if ((st.st_mode & modeMask) != (S_IRUSR | S_IWUSR))
+        {
+            chmod(passwdFileName, S_IRUSR | S_IWUSR);
+        }
+    }
+
+    if (stat(encryptKeyFileName, &st) == 0)
+    {
+        if ((st.st_mode & modeMask) != (S_IRUSR | S_IWUSR))
+        {
+            chmod(encryptKeyFileName, S_IRUSR | S_IWUSR);
+        }
+    }
+}
+
 std::string PasswdMgr::getPasswdByUserName(const std::string& userName)
 {
     checkAndReload();