diff --git a/modules/initrd-ssh.nix b/modules/initrd-ssh.nix
index 4d1a23d..928c607 100644
--- a/modules/initrd-ssh.nix
+++ b/modules/initrd-ssh.nix
@@ -32,4 +32,10 @@
       ];
     };
   };
+
+  # This only works for vfat (EFI),
+  # for ext2 (MBR) it needs to be changed manually with chmod.
+  fileSystems."/boot".options = lib.mkIf
+    (config.boot.initrd.network.ssh.enable && config.fileSystems."/boot".fsType == "vfat")
+    (lib.mkDefault [ "umask=0077" ]);
 }