diff --git a/manifests/compute/hypervisor.pp b/manifests/compute/hypervisor.pp
index 74dfe8f8..5362de06 100644
--- a/manifests/compute/hypervisor.pp
+++ b/manifests/compute/hypervisor.pp
@@ -144,9 +144,9 @@ Host *
     Ceph::Key <<| title == $cinder_rbd_user |>>
 
     ensure_resource('file', "/etc/ceph/ceph.client.${cinder_rbd_user}.keyring", {
-      owner   => 'nova',
-      group   => 'nova',
-      mode    => '0400',
+      owner   => 'cinder',
+      group   => 'cinder',
+      mode    => '0444',
       require => "Ceph::Key[${cinder_rbd_user}]",
     })
     Concat::Fragment <<| title == 'ceph-client-os' |>>
diff --git a/manifests/volume/backend/rbd.pp b/manifests/volume/backend/rbd.pp
index 369c2571..61a0aea0 100644
--- a/manifests/volume/backend/rbd.pp
+++ b/manifests/volume/backend/rbd.pp
@@ -76,7 +76,7 @@ define cloud::volume::backend::rbd (
   ensure_resource('file', "/etc/ceph/ceph.client.${rbd_user}.keyring", {
     owner   => 'cinder',
     group   => 'cinder',
-    mode    => '0400',
+    mode    => '0444',
     require => "Ceph::Key[${rbd_user}]",
   })
   Concat::Fragment <<| title == 'ceph-client-os' |>>