diff --git a/ChangeLog b/ChangeLog
index a154329..dd2dfb0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,9 @@
 Version 1.1.3
    - Catch nacl.exceptions.ValueError and raise KeyFormatError, similar to how
      RSA key errors are treated (LP: #2018021)
+   - Create ed25519 key files with secure permissions to avoid risk of
+     insecure chmode call/race condition (Thanks to Hanno Böck for the report
+     and the suggested fix) (LP: #2017430)
 
 2023-04-09 Version 1.1.2
    - Verify correct AMS header is used for ARC seal verification (André Cruz)
diff --git a/dkim/dknewkey.py b/dkim/dknewkey.py
index d189ede..94e114f 100644
--- a/dkim/dknewkey.py
+++ b/dkim/dknewkey.py
@@ -64,10 +64,12 @@ def GenEd25519Keys(private_key_file, verbose=True):
     if verbose:
         eprint('generating ' + private_key_file)
     priv_key = skg.generate()
+    if os.name == 'posix':
+        old_umask = os.umask(0o077)
     with open(private_key_file, 'w') as pkf:
         pkf.write(priv_key.encode(encoder=nacl.encoding.Base64Encoder).decode("utf-8"))
     if os.name == 'posix':
-        os.chmod(private_key_file, 0o600)
+        os.umask(old_umask)
     return(priv_key)
 
 def ExtractRSADnsPublicKey(private_key_file, dns_file, verbose=True):