diff --git a/scripts/decrypt b/scripts/decrypt
index 2fff1822..49a67b9c 100755
--- a/scripts/decrypt
+++ b/scripts/decrypt
@@ -66,6 +66,9 @@ fi
 RC=0
 TARGZ=/etc/ngcp-config-crypted.tgz
 
+# ensure created files can be read by root only
+umask 066
+
 if ! gpg -d "$TARGZ".gpg > "$TARGZ" ; then
   log_error "Error while decrypting ${TARGZ}.gpg"
   RC=1
diff --git a/scripts/encrypt b/scripts/encrypt
index 13db5a5a..ba414225 100755
--- a/scripts/encrypt
+++ b/scripts/encrypt
@@ -41,6 +41,9 @@ if ! type -p gpg &>/dev/null ; then
   exit 1
 fi
 
+# ensure created files can be read by root only
+umask 066
+
 RC=0
 TARGZ=/etc/ngcp-config-crypted.tgz
 FILES=$(get_config_file_list)
@@ -48,9 +51,13 @@ FILES=$(get_config_file_list)
 tar zcf "$TARGZ" /etc/ngcp-config/ $FILES /etc/.git
 if gpg --symmetric "$TARGZ" ; then
   log_info "Successfully created crypted ngcpcfg configuration archive ${TARGZ}.gpg"
+  # ensure we don't leave the unencrypted version behind
+  rm -f "${TARGZ}"
 else
-  log_error "Error while setting up $TARGZ"
-  RC=1
+  log_error "Error while setting up ${TARGZ}.gpg"
+  # ensure we don't leave the unencrypted version behind
+  rm -f "${TARGZ}"
+  exit 1
 fi
 
 log_info_n "Now really erase all configuration files managed by ngcpcfg? [y/N] "