diff --git a/changelog/12034.txt b/changelog/12034.txt
new file mode 100644
index 0000000000..09f91f8d66
--- /dev/null
+++ b/changelog/12034.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+storage/raft: Tweak creation of vault.db file
+```
diff --git a/physical/raft/fsm.go b/physical/raft/fsm.go
index b1d548964a..fb8eea228d 100644
--- a/physical/raft/fsm.go
+++ b/physical/raft/fsm.go
@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
@@ -154,9 +155,22 @@ func (f *FSM) openDBFile(dbPath string) error {
 		return errors.New("can not open empty filename")
 	}
 
+	st, err := os.Stat(dbPath)
+	switch {
+	case err != nil && os.IsNotExist(err):
+	case err != nil:
+		return fmt.Errorf("error checking raft FSM db file %q: %v", dbPath, err)
+	default:
+		perms := st.Mode() & os.ModePerm
+		if perms&0o077 != 0 {
+			f.logger.Warn("raft FSM db file has wider permissions than needed",
+				"needed", os.FileMode(0o600), "existing", perms)
+		}
+	}
+
 	freelistType, noFreelistSync := freelistOptions()
 	start := time.Now()
-	boltDB, err := bolt.Open(dbPath, 0o666, &bolt.Options{
+	boltDB, err := bolt.Open(dbPath, 0o600, &bolt.Options{
 		Timeout:        1 * time.Second,
 		FreelistType:   freelistType,
 		NoFreelistSync: noFreelistSync,
diff --git a/physical/raft/snapshot.go b/physical/raft/snapshot.go
index f1503cd41c..529c84f26a 100644
--- a/physical/raft/snapshot.go
+++ b/physical/raft/snapshot.go
@@ -330,7 +330,7 @@ func (s *BoltSnapshotSink) writeBoltDBFile() error {
 
 	// Create the BoltDB file
 	dbPath := filepath.Join(path, databaseFilename)
-	boltDB, err := bolt.Open(dbPath, 0o666, &bolt.Options{Timeout: 1 * time.Second})
+	boltDB, err := bolt.Open(dbPath, 0o600, &bolt.Options{Timeout: 1 * time.Second})
 	if err != nil {
 		return err
 	}