btw. On first startup the private key file is created with 600. Maybe it would be a good idea to check on every startup the file permission and raise a error if it’s to open.
I think it’s sufficient to set it to recommended permissions at creation. There could be situations where it’s valid to have other permissions that we shouldn’t override if someone explicitly changes them.