diff --git a/hermes_cli/config.py b/hermes_cli/config.py
index e00c85a04..bb0416b20 100644
--- a/hermes_cli/config.py
+++ b/hermes_cli/config.py
@@ -14,8 +14,9 @@ This module provides:
 
 import os
 import platform
-import sys
+import stat
 import subprocess
+import sys
 from pathlib import Path
 from typing import Dict, Any, Optional, List, Tuple
 
@@ -869,6 +870,13 @@ def save_env_value(key: str, value: str):
     with open(env_path, 'w', **write_kw) as f:
         f.writelines(lines)
 
+    # Restrict .env permissions to owner-only (contains API keys)
+    if not _IS_WINDOWS:
+        try:
+            os.chmod(env_path, stat.S_IRUSR | stat.S_IWUSR)
+        except OSError:
+            pass
+
 
 def get_env_value(key: str) -> Optional[str]:
     """Get a value from ~/.hermes/.env or environment."""