diff --git a/proxy_agent/src/key_keeper.rs b/proxy_agent/src/key_keeper.rs
index 119f2902..a42f5bce 100644
--- a/proxy_agent/src/key_keeper.rs
+++ b/proxy_agent/src/key_keeper.rs
@@ -935,7 +935,21 @@ impl KeyKeeper {
                     key_file.display(),
                     e
                 )))
-            })
+            })?;
+
+            #[cfg(not(windows))]
+            {
+                // set the file permissions to 600 for non-windows platform
+                proxy_agent_shared::linux::set_file_permissions(&key_file, 0o600).map_err(|e| {
+                    Error::Key(KeyErrorType::StoreLocalKey(format!(
+                        "set_file_permissions '{}' failed {}",
+                        key_file.display(),
+                        e
+                    )))
+                })?;
+            }
+
+            Ok(())
         }
     }
 
diff --git a/proxy_agent/src/provision.rs b/proxy_agent/src/provision.rs
index 89862fc3..827af8f3 100644
--- a/proxy_agent/src/provision.rs
+++ b/proxy_agent/src/provision.rs
@@ -435,11 +435,21 @@ async fn write_provision_state(
     }
 
     if let Err(e) = std::fs::write(
-        provisioned_file,
+        &provisioned_file,
         misc_helpers::get_date_time_string_with_milliseconds(),
     ) {
         logger::write_error(format!("Failed to write provisioned file with error: {e}"));
     }
+    #[cfg(not(windows))]
+    {
+        proxy_agent_shared::linux::set_file_permissions(&provisioned_file, 0o600).unwrap_or_else(
+            |e| {
+                logger::write_error(format!(
+                    "Failed to set provisioned file permission to 600 with error: {e}"
+                ));
+            },
+        );
+    }
 
     let mut failed_state_message =
         get_provision_failed_state_message(provision_shared_state, agent_status_shared_state).await;
@@ -484,6 +494,19 @@ async fn write_provision_state(
             logger::write_error(format!("Failed to write temp status file with error: {e}"));
         }
     }
+
+    #[cfg(not(windows))]
+    {
+        proxy_agent_shared::linux::set_file_permissions(
+            &provision_dir.join(STATUS_TAG_FILE_NAME),
+            0o600,
+        )
+        .unwrap_or_else(|e| {
+            logger::write_error(format!(
+                "Failed to set status file permission to 600 with error: {e}"
+            ));
+        });
+    }
 }
 
 /// Get provision failed state message
diff --git a/proxy_agent/src/proxy_agent_status.rs b/proxy_agent/src/proxy_agent_status.rs
index aec85804..5bed94db 100644
--- a/proxy_agent/src/proxy_agent_status.rs
+++ b/proxy_agent/src/proxy_agent_status.rs
@@ -297,6 +297,16 @@ impl ProxyAgentStatusTask {
             ))
             .await;
         } else {
+            #[cfg(not(windows))]
+            {
+                proxy_agent_shared::linux::set_file_permissions(&full_file_path, 0o640)
+                    .unwrap_or_else(|e| {
+                        logger::write_error(format!(
+                            "Failed to set status.json file permission to 640 with error: {e}"
+                        ));
+                    });
+            }
+
             // need overwrite the status message to indicate the status file is written successfully
             self.update_agent_status_message(format!(
                 "Aggregate status written to status file: {}",
diff --git a/proxy_agent_setup/src/linux.rs b/proxy_agent_setup/src/linux.rs
index 70921167..93fb6b07 100644
--- a/proxy_agent_setup/src/linux.rs
+++ b/proxy_agent_setup/src/linux.rs
@@ -12,16 +12,31 @@ const EBPF_FILE: &str = "ebpf_cgroup.o";
 const CONFIG_PATH: &str = "/etc/azure/proxy-agent.json";
 const EBPF_PATH: &str = "/usr/lib/azure-proxy-agent/ebpf_cgroup.o";
 
-pub fn setup_service(service_name: &str, service_file_dir: PathBuf) -> Result<u64> {
+pub fn setup_service(service_name: &str, service_file_dir: PathBuf) -> Result<()> {
     copy_service_config_file(service_name, service_file_dir)
 }
 
-fn copy_service_config_file(service_name: &str, service_file_dir: PathBuf) -> Result<u64> {
+fn copy_service_config_file(service_name: &str, service_file_dir: PathBuf) -> Result<()> {
     let service_config_name = format!("{service_name}.service");
     let src_config_file_path = service_file_dir.join(&service_config_name);
     let dst_config_file_path = PathBuf::from(proxy_agent_shared::linux::SERVICE_CONFIG_FOLDER_PATH)
         .join(&service_config_name);
-    fs::copy(src_config_file_path, dst_config_file_path).map_err(Into::into)
+    fs::copy(src_config_file_path, &dst_config_file_path).map_err(|e| {
+        std::io::Error::other(format!(
+            "Failed to copy service config file to {dst_config_file_path:?} with error: {e}"
+        ))
+    })?;
+    // set the file permissions to 644 for the service config unit file
+    proxy_agent_shared::linux::set_file_permissions(&dst_config_file_path, 0o644).map_err(|e| {
+        std::io::Error::other(format!(
+            "Failed to set file permissions for {dst_config_file_path:?} with error: {e}"
+        ))
+    })?;
+
+    logger::write(format!(
+        "Copied service config file to {dst_config_file_path:?}"
+    ));
+    Ok(())
 }
 
 fn backup_service_config_file(backup_folder: PathBuf) {
@@ -94,7 +109,22 @@ pub fn copy_files(src_folder: PathBuf) {
         src_folder.join("azure-proxy-agent"),
         dst_folder.join("azure-proxy-agent"),
     );
+    // set the file permissions to 755 for the azure-proxy-agent binary
+    proxy_agent_shared::linux::set_file_permissions(&dst_folder.join("azure-proxy-agent"), 0o755)
+        .unwrap_or_else(|e| {
+            logger::write_error(format!(
+                "Failed to set azure-proxy-agent file permission to 755 with error: {e}"
+            ));
+        });
+
     copy_file(src_folder.join(CONFIG_FILE), PathBuf::from(CONFIG_PATH));
+    proxy_agent_shared::linux::set_file_permissions(&PathBuf::from(CONFIG_PATH), 0o644)
+        .unwrap_or_else(|e| {
+            logger::write_error(format!(
+                "Failed to set config file permission to 644 with error: {e}"
+            ));
+        });
+
     copy_file(src_folder.join(EBPF_FILE), PathBuf::from(EBPF_PATH));
 }
 
diff --git a/proxy_agent_shared/src/linux.rs b/proxy_agent_shared/src/linux.rs
index b09cbe0b..b0481814 100644
--- a/proxy_agent_shared/src/linux.rs
+++ b/proxy_agent_shared/src/linux.rs
@@ -174,9 +174,18 @@ pub fn read_proc_memory_status(pid: u32) -> Result<MemStatus> {
     Ok(MemStatus { vmrss_kb, vmhwm_kb })
 }
 
+/// Set the file permissions for a file or directory.
+pub fn set_file_permissions(path: &PathBuf, mode: u32) -> Result<()> {
+    use std::os::unix::fs::PermissionsExt;
+    let permissions = fs::Permissions::from_mode(mode);
+    fs::set_permissions(path, permissions)?;
+    Ok(())
+}
+
 #[cfg(test)]
 mod tests {
     use crate::misc_helpers;
+    use std::os::unix::fs::PermissionsExt as _;
 
     #[test]
     fn get_os_version_tests() {
@@ -228,4 +237,15 @@ mod tests {
             }
         };
     }
+
+    #[test]
+    fn set_file_permissions_test() {
+        let test_file_path = "/tmp/test_file_permissions.txt";
+        std::fs::write(test_file_path, "test").unwrap();
+        let path = std::path::PathBuf::from(test_file_path);
+        super::set_file_permissions(&path, 0o644).unwrap();
+        let metadata = std::fs::metadata(test_file_path).unwrap();
+        assert_eq!(metadata.permissions().mode() & 0o777, 0o644);
+        std::fs::remove_file(test_file_path).unwrap();
+    }
 }