diff --git a/manifests/ssh.pp b/manifests/ssh.pp
index ae64e1cd87ed6882870a8da69853e2d24c6c315b..18bfddbf1fa02e0baa92a6778727ed9f3ddb2210 100644
--- a/manifests/ssh.pp
+++ b/manifests/ssh.pp
@@ -117,8 +117,9 @@ class base::ssh(
 
   if ($root_authorized_keys) {
     file { '/root/.ssh/authorized_keys':
-      ensure => present,
+      ensure  => present,
       content => $root_authorized_keys,
+      mode    => '0640',
     }
   } else {
     # Make sure public key authentication to root does not work and clean up