diff --git a/Cargo.toml b/Cargo.toml
index 3e29c2cc9..31225eb63 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -66,6 +66,7 @@ prost-build = "0.12.1"
 
 [features]
 generate = []
+insecure_dev_only_unredacted_summary = []
 
 # See https://github.com/coreos/cargo-vendor-filterer
 [package.metadata.vendor-filter]
diff --git a/src/logging.rs b/src/logging.rs
index f2ee54ea7..10e920559 100644
--- a/src/logging.rs
+++ b/src/logging.rs
@@ -106,9 +106,18 @@ pub(crate) fn generate_summary(
         error: error.map(|e| format!("{:?}", e)),
     };
 
+    #[cfg(not(feature = "insecure_dev_only_unredacted_summary"))]
+    if summary.recert_config.summary_file.is_some() {
+        bail!("summary_file contains unredacted secret keys - use summary_file_clean instead, or build with --features insecure_dev_only_unredacted_summary");
+    }
+
+    #[cfg(feature = "insecure_dev_only_unredacted_summary")]
     if let Some(summary_file) = summary.recert_config.summary_file.clone() {
-        let summary_file = summary_file.0.create().context("opening summary file for writing")?;
-        serde_yaml::to_writer(summary_file, &summary).context("serializing cluster crypto into summary file")?;
+        use std::os::unix::fs::PermissionsExt;
+        let path = summary_file.0.path().to_owned();
+        let file = summary_file.0.create().context("opening summary file for writing")?;
+        std::fs::set_permissions(&path, std::fs::Permissions::from_mode(0o600)).context("setting summary file permissions to 0600")?;
+        serde_yaml::to_writer(file, &summary).context("serializing cluster crypto into summary file")?;
     }
 
     if let Some(summary_file_clean) = summary.recert_config.summary_file_clean.clone() {