diff --git a/CHANGES b/CHANGES
index eed4b8e4d..b745f83c2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2458,4 +2458,4 @@
 * cifs: use credentials file for better password support
 * installer: rework script to fix DNS resolution issues
 * backup cleaner: do not clean if not mounted
-
+* restore: fix sftp private key perms
diff --git a/src/sftp.js b/src/sftp.js
index 3c03b06ab..4236934b5 100644
--- a/src/sftp.js
+++ b/src/sftp.js
@@ -24,20 +24,20 @@ const apps = require('./apps.js'),
     volumes = require('./volumes.js');
 
 async function ensureKeys() {
-    let sftpPrivateKey = await blobs.get(blobs.SFTP_PRIVATE_KEY);
-    let sftpPublicKey = await blobs.get(blobs.SFTP_PUBLIC_KEY);
+    const sftpPrivateKey = await blobs.get(blobs.SFTP_PRIVATE_KEY);
+    const sftpPublicKey = await blobs.get(blobs.SFTP_PUBLIC_KEY);
 
     if (!sftpPrivateKey || !sftpPublicKey) {
         debug('ensureSecrets: generating new sftp keys');
         if (!safe.child_process.execSync(`ssh-keygen -m PEM -t rsa -f "${paths.SFTP_KEYS_DIR}/ssh_host_rsa_key" -q -N ""`)) throw new BoxError(BoxError.OPENSSL_ERROR, `Could not generate sftp ssh keys: ${safe.error.message}`);
-        sftpPublicKey = safe.fs.readFileSync(paths.SFTP_PUBLIC_KEY_FILE);
-        await blobs.set(blobs.SFTP_PUBLIC_KEY, sftpPublicKey);
-        sftpPrivateKey = safe.fs.readFileSync(paths.SFTP_PRIVATE_KEY_FILE);
-        await blobs.set(blobs.SFTP_PRIVATE_KEY, sftpPrivateKey);
+        const newSftpPublicKey = safe.fs.readFileSync(paths.SFTP_PUBLIC_KEY_FILE);
+        await blobs.set(blobs.SFTP_PUBLIC_KEY, newSftpPublicKey);
+        const newSftpPrivateKey = safe.fs.readFileSync(paths.SFTP_PRIVATE_KEY_FILE);
+        await blobs.set(blobs.SFTP_PRIVATE_KEY, newSftpPrivateKey);
+    } else {
+        if (!safe.fs.writeFileSync(paths.SFTP_PUBLIC_KEY_FILE, sftpPublicKey)) throw new BoxError(BoxError.FS_ERROR, `Could not save sftp public key: ${safe.error.message}`);
+        if (!safe.fs.writeFileSync(paths.SFTP_PRIVATE_KEY_FILE, sftpPrivateKey, { mode: 0o600 })) throw new BoxError(BoxError.FS_ERROR, `Could not save sftp private key: ${safe.error.message}`);
     }
-
-    if (!safe.fs.writeFileSync(paths.SFTP_PUBLIC_KEY_FILE, sftpPublicKey)) throw new BoxError(BoxError.FS_ERROR, `Could not save sftp public key: ${safe.error.message}`);
-    if (!safe.fs.writeFileSync(paths.SFTP_PRIVATE_KEY_FILE, sftpPrivateKey)) throw new BoxError(BoxError.FS_ERROR, `Could not save sftp private key: ${safe.error.message}`);
 }
 
 async function start(existingInfra) {