diff --git a/Dockerfile b/Dockerfile
index 3ff5f0b4841b7038e71685e001011089bf6a65a0..4b1286371e52cc40b14f5ddd50774a4c643d758e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -65,8 +65,11 @@ RUN yum install -y --nogpg install xrootd-client
 # This is useful to deploy EOS on Kubernetes clusters running on CERN's Cloud
 # Infrastructure; you can remove these lines if you don't need one.
 RUN yes | xrdsssadmin -k eos-test del /etc/eos.keytab; \
-    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab; \
-    chown daemon:daemon /etc/eos.keytab
+    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab
+
+# Setup keytab permissions
+RUN chown daemon:daemon /etc/eos.keytab; \
+    chmod 400 /etc/eos.keytab
 
 # Change owner of /var/spool/xrootd directory to daemon
 RUN chown daemon:daemon /var/spool/xrootd
diff --git a/Dockerfile_asan b/Dockerfile_asan
index d465956f8d4665c1f910c8699542e4ab9236405d..b150b59dd9672361863245665a63a1903edce8a9 100644
--- a/Dockerfile_asan
+++ b/Dockerfile_asan
@@ -46,7 +46,10 @@ RUN createrepo ${EOSREPODIR}; \
 # Generate a new forwardable keytab 'eos-test+' to replace the not-forwardable one (installed by the eos-testkeytab package).
 # This is useful to deploy EOS on Kubernetes clusters running on CERN's Cloud Infrastructure; you can remove these lines if you don't need one.
 RUN yes | xrdsssadmin -k eos-test del /etc/eos.keytab; \
-    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab; \
-    chown daemon:daemon /etc/eos.keytab
+    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab
+
+# Setup keytab permissions
+RUN chown daemon:daemon /etc/eos.keytab; \
+    chmod 400 /etc/eos.keytab
 
 ENTRYPOINT ["/bin/bash"]
diff --git a/Dockerfile_c8 b/Dockerfile_c8
index 520fee0d0328f86cefbb9d14fedb3f172c8258a1..6036ad84143140229372f610d7d948640d65431a 100644
--- a/Dockerfile_c8
+++ b/Dockerfile_c8
@@ -50,8 +50,11 @@ RUN createrepo ${EOSREPODIR}; \
 # This is useful to deploy EOS on Kubernetes clusters running on CERN's Cloud
 # Infrastructure; you can remove these lines if you don't need one.
 RUN yes | xrdsssadmin -k eos-test del /etc/eos.keytab; \
-    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab; \
-    chown daemon:daemon /etc/eos.keytab
+    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab
+
+# Setup keytab permissions
+RUN chown daemon:daemon /etc/eos.keytab; \
+    chmod 400 /etc/eos.keytab
 
 # Change owner of /var/spool/xrootd directory to daemon
 RUN chown daemon:daemon /var/spool/xrootd
diff --git a/Dockerfile_coverage b/Dockerfile_coverage
index c800bcc0defd8320a03c98f897687a3c523cf0bd..942414ccdc0d80558ab5c85f7e4d4d90b88cf7c5 100644
--- a/Dockerfile_coverage
+++ b/Dockerfile_coverage
@@ -66,7 +66,10 @@ RUN mkdir -p /root/rpmbuild/BUILD/; \
 # Generate a new forwardable keytab 'eos-test+' to replace the not-forwardable one (installed by the eos-testkeytab package).
 # This is useful to deploy EOS on Kubernetes clusters running on CERN's Cloud Infrastructure; you can remove these lines if you don't need one.
 RUN yes | xrdsssadmin -k eos-test del /etc/eos.keytab; \
-    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab; \
-    chown daemon:daemon /etc/eos.keytab
+    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab
+
+# Setup keytab permissions
+RUN chown daemon:daemon /etc/eos.keytab; \
+    chmod 400 /etc/eos.keytab
 
 ENTRYPOINT ["/bin/bash"]
diff --git a/Dockerfile_ubuntu_bionic b/Dockerfile_ubuntu_bionic
index 1e2b738d9ae96a740c878bd631933b1ed3aa179c..4475e8f9117e075f9cb4cc76179a01506fcd2949 100644
--- a/Dockerfile_ubuntu_bionic
+++ b/Dockerfile_ubuntu_bionic
@@ -49,6 +49,6 @@ RUN apt-get install -y eos-client eos-fuse eos-fusex eos-test eos-testkeytab
 
 # Change persmissions for keytab
 RUN chown daemon:daemon /etc/eos.keytab; \
-    chmod 600 /etc/eos.keytab
+    chmod 400 /etc/eos.keytab
 
 ENTRYPOINT ["/bin/bash"]
diff --git a/Dockerfile_ubuntu_disco b/Dockerfile_ubuntu_disco
index 734cc179aea15dd5b9cd9663533a20d8722def21..df51fc0f83112cd229a43453234cd2103b3d77f3 100644
--- a/Dockerfile_ubuntu_disco
+++ b/Dockerfile_ubuntu_disco
@@ -49,6 +49,6 @@ RUN apt-get install -y eos-client eos-fuse eos-fusex eos-test eos-testkeytab
 
 # Change persmissions for keytab
 RUN chown daemon:daemon /etc/eos.keytab; \
-    chmod 600 /etc/eos.keytab
+    chmod 400 /etc/eos.keytab
 
 ENTRYPOINT ["/bin/bash"]
diff --git a/Dockerfile_xrd_testing b/Dockerfile_xrd_testing
index 2dad36f2c69a8ecbc2c1f6530d9180442aa5cee0..b4f52d5bde9142594da6a181eee663a00404811c 100644
--- a/Dockerfile_xrd_testing
+++ b/Dockerfile_xrd_testing
@@ -51,7 +51,10 @@ RUN createrepo ${EOSREPODIR}; \
 # Generate a new forwardable keytab 'eos-test+' to replace the not-forwardable one (installed by the eos-testkeytab package).
 # This is useful to deploy EOS on Kubernetes clusters running on CERN's Cloud Infrastructure; you can remove these lines if you don't need one.
 RUN yes | xrdsssadmin -k eos-test del /etc/eos.keytab; \
-    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab; \
-    chown daemon:daemon /etc/eos.keytab
+    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab
+
+# Setup keytab permissions
+RUN chown daemon:daemon /etc/eos.keytab; \
+    chmod 400 /etc/eos.keytab
 
 ENTRYPOINT ["/bin/bash"]