diff --git a/lib/rubygems/config_file.rb b/lib/rubygems/config_file.rb
index bd4080c0fd39..a56085ccc2f3 100644
--- a/lib/rubygems/config_file.rb
+++ b/lib/rubygems/config_file.rb
@@ -235,7 +235,8 @@ def rubygems_api_key=(api_key)
 
     Gem.load_yaml
 
-    File.open(credentials_path, 'w') do |f|
+    permissions = 0600 & (~File.umask)
+    File.open(credentials_path, 'w', permissions) do |f|
       f.write config.to_yaml
     end
 
diff --git a/test/rubygems/test_gem_config_file.rb b/test/rubygems/test_gem_config_file.rb
index a50a39ca4f38..d3b45f337667 100644
--- a/test/rubygems/test_gem_config_file.rb
+++ b/test/rubygems/test_gem_config_file.rb
@@ -309,6 +309,14 @@ def test_load_api_keys_from_config
                   :other => 'a5fdbb6ba150cbb83aad2bb2fede64c'}, @cfg.api_keys)
   end
 
+  def test_save_credentials_file_with_strict_permissions
+    util_config_file
+    FileUtils.mkdir File.dirname(@cfg.credentials_path)
+    @cfg.rubygems_api_key = '701229f217cdf23b1344c7b4b54ca97'
+    mode = 0100600 & (~File.umask)
+    assert_equal mode, File.stat(@cfg.credentials_path).mode unless win_platform?
+  end
+
   def util_config_file(args = @cfg_args)
     @cfg = Gem::ConfigFile.new args
   end