diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix
index 41337c7467ef..808b64501829 100644
--- a/nixos/modules/virtualisation/google-compute-image.nix
+++ b/nixos/modules/virtualisation/google-compute-image.nix
@@ -135,6 +135,8 @@ in
       path  = [ pkgs.wget ];
       script =
         ''
+          # When dealing with cryptographic keys, we want to keep things private.
+          umask 077
           wget="wget --retry-connrefused -t 6 --waitretry=10"
           # Don't download the SSH key if it has already been downloaded
           if ! [ -e /root/.ssh/authorized_keys ]; then