diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index a45f21964376497612463a5840a31c8469bf1419..b8e474173953f21fe708b3b1913ce30a44dbe26c 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -460,10 +460,12 @@ (define (urandom-seed-shepherd-service _)
                    (let ((buf (make-bytevector 512)))
                      (call-with-input-file "/dev/urandom"
                        (lambda (urandom)
-                         (get-bytevector-n! urandom buf 0 512)
-                         (call-with-output-file #$%random-seed-file
-                           (lambda (seed)
-                             (put-bytevector seed buf)))
+                         (let ((previous-umask (umask #o077)))
+                           (get-bytevector-n! urandom buf 0 512)
+                           (call-with-output-file #$%random-seed-file
+                             (lambda (seed)
+                               (put-bytevector seed buf)))
+                           (umask previous-umask))
                          #t)))))
          (modules `((rnrs bytevectors)
                     (rnrs io ports)