diff --git a/nixos/modules/services/backup/postgresql-backup.nix b/nixos/modules/services/backup/postgresql-backup.nix
index 2ec78ce6f2cfa2..f9f9568faa5c4f 100644
--- a/nixos/modules/services/backup/postgresql-backup.nix
+++ b/nixos/modules/services/backup/postgresql-backup.nix
@@ -20,6 +20,8 @@ let
       '';
 
       script = ''
+        umask 0077 # ensure backup is only readable by postgres user
+
         if [ -e ${cfg.location}/${db}.sql.gz ]; then
           ${pkgs.coreutils}/bin/mv ${cfg.location}/${db}.sql.gz ${cfg.location}/${db}.prev.sql.gz
         fi
diff --git a/nixos/tests/postgresql.nix b/nixos/tests/postgresql.nix
index ed54a31c8e52b9..1d434b62a5cb5a 100644
--- a/nixos/tests/postgresql.nix
+++ b/nixos/tests/postgresql.nix
@@ -58,6 +58,7 @@ let
       # Check backup service
       $machine->succeed("systemctl start postgresqlBackup-postgres.service");
       $machine->succeed("zcat /var/backup/postgresql/postgres.sql.gz | grep '<test>ok</test>'");
+      $machine->succeed("stat -c '%a' /var/backup/postgresql/postgres.sql.gz | grep 600");
       $machine->shutdown;
     '';