diff --git a/functions.sh b/functions.sh
index cbd5bad..ecf8a4c 100644
--- a/functions.sh
+++ b/functions.sh
@@ -10,6 +10,11 @@ cleanup (){
   sleep 3
   fuser -9 -k -v "$R"
 
+  # Clean up temporary .password file
+  if [ -r ".password" ] ; then
+    shred -zu .password
+  fi
+
   # Clean up all temporary mount points
   echo "removing temporary mount points ..."
   umount -l "$R/proc" 2> /dev/null
diff --git a/rpi2-gen-image.sh b/rpi2-gen-image.sh
index d25bdb6..a69c78d 100755
--- a/rpi2-gen-image.sh
+++ b/rpi2-gen-image.sh
@@ -452,6 +452,7 @@ if [ "$ENABLE_CRYPTFS" = true ] ; then
 
   # Setup password keyfile
   echo -n ${CRYPTFS_PASSWORD} > .password
+  chmod 600 .password
 
   # Initialize encrypted partition
   echo "YES" | cryptsetup luksFormat "${ROOT_LOOP}" -c "${CRYPTFS_CIPHER}" -s "${CRYPTFS_XTSKEYSIZE}" .password