diff --git a/silkaj/wot/revocation.py b/silkaj/wot/revocation.py
index 4a24a94bc4f123abe3d93c7d5a74912e4f11fcaf..76a7433bfb1c1432ac74abd32c0c4e758361b802 100644
--- a/silkaj/wot/revocation.py
+++ b/silkaj/wot/revocation.py
@@ -13,6 +13,7 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with Silkaj. If not, see <https://www.gnu.org/licenses/>.
 
+import os
 import sys
 from pathlib import Path
 from typing import Dict
@@ -163,6 +164,10 @@ def create_revocation_doc(_id: Dict, pubkey: str, currency: str) -> Revocation:
     )
 
 
+def opener_user_rw(path, flags):
+    return os.open(path, flags, 0o600)
+
+
 def save_doc(rev_path: Path, content: str, pubkey: str) -> None:
     pubkey_cksum = gen_pubkey_checksum(pubkey)
     # Ask confirmation if the file exists
@@ -175,7 +180,13 @@ gene    rated revocation document corresponding to {pubkey_cksum} public key?",
         else:
             click.echo("Ok, goodbye!")
             sys.exit(SUCCESS_EXIT_STATUS)
-    rev_path.write_text(content, encoding="utf-8")
+    with open(  # noqa: PTH123
+        rev_path,
+        "w",
+        encoding="utf-8",
+        opener=opener_user_rw,
+    ) as fh:
+        fh.write(content)
     click.echo(
         f"Revocation document file stored into `{rev_path}` for following public key: {pubkey_cksum}",
     )
diff --git a/tests/unit/wot/test_revocation.py b/tests/unit/wot/test_revocation.py
index aa48b972faed0513fd623c11ad61f70fa6001677..1cdc4b5ecdb837608fc3e5539599d75b563520de 100644
--- a/tests/unit/wot/test_revocation.py
+++ b/tests/unit/wot/test_revocation.py
@@ -871,6 +871,10 @@ def test_save_doc(path, rev_1, rev_2, pubkey, capsys, monkeypatch):
         revocation.save_doc(path, rev_1.signed_raw(), pubkey)
         assert path.is_file()
         assert path.read_text(encoding="utf-8") == rev_1.signed_raw()
+
+        # test file has 600 permission
+        assert oct(path.stat().st_mode)[-3:] == "600"
+
         # test file is overwritten if confirm
         monkeypatch.setattr(click, "confirm", value=conf_true)
         revocation.save_doc(path, rev_2.signed_raw(), pubkey)
@@ -878,6 +882,7 @@ def test_save_doc(path, rev_1, rev_2, pubkey, capsys, monkeypatch):
 for following public key: {gen_pubkey_checksum(pubkey)}"
         assert expected_confirm in capsys.readouterr().out
         assert path.read_text(encoding="utf-8") == rev_2.signed_raw()
+
         # test file is not overwritten if not confirm
         monkeypatch.setattr(click, "confirm", value=conf_false)
         with pytest.raises(SystemExit) as pytest_exit: