diff --git a/manifests/init.pp b/manifests/init.pp
index 345be602..752624b5 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -63,6 +63,7 @@
   $watches           = {},
   $checks            = {},
   $acls              = {},
+  $umask             = '0022',
 ) inherits consul::params {
 
   validate_bool($purge_config_dir)
diff --git a/templates/consul.debian.erb b/templates/consul.debian.erb
index 08429bdf..2ba961ad 100644
--- a/templates/consul.debian.erb
+++ b/templates/consul.debian.erb
@@ -56,7 +56,7 @@ do_start()
     mkrundir
     start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --chuid $USER --background --make-pidfile --test > /dev/null \
         || return 1
-    start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --chuid $USER --background --make-pidfile -- \
+    start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --chuid $USER --background --make-pidfile <%= scope.lookupvar('consul::umask') %> -- \
         $DAEMON_ARGS \
         || return 2
 
diff --git a/templates/consul.launchd.erb b/templates/consul.launchd.erb
index 6273b221..7c0e196b 100644
--- a/templates/consul.launchd.erb
+++ b/templates/consul.launchd.erb
@@ -5,6 +5,7 @@
     <key>Label</key>             <string>io.consul.daemon</string>
     <key>UserName</key>          <string><%= scope.lookupvar('consul::user') %></string>
     <key>GroupName</key>         <string><%= scope.lookupvar('consul::group') %></string>
+    <key>Umask</key>             <string><%= scope.lookupvar('consul::umask') %></string>
 <% if scope.lookupvar('consul::service_enable') %>
     <key>Disabled</key>          <false/>
 <% else %>
diff --git a/templates/consul.sles.erb b/templates/consul.sles.erb
index 40558e12..fec7b962 100644
--- a/templates/consul.sles.erb
+++ b/templates/consul.sles.erb
@@ -36,6 +36,7 @@ case "$1" in
         echo -n "Starting consul "
         ## Start daemon with startproc(8). If this fails
         ## the return value is set appropriately by startproc.
+        umask <%= scope.lookupvar('consul::umask') %>
         startproc $CONSUL_BIN agent -config-dir "$CONFIG_DIR" <%= scope.lookupvar('consul::extra_options') %> >> "$LOG_FILE"
 
         # Remember status and be verbose
diff --git a/templates/consul.systemd.erb b/templates/consul.systemd.erb
index ed940784..a2d9d1ff 100644
--- a/templates/consul.systemd.erb
+++ b/templates/consul.systemd.erb
@@ -6,6 +6,7 @@ After=basic.target network.target
 [Service]
 User=<%= scope.lookupvar('consul::user') %>
 Group=<%= scope.lookupvar('consul::group') %>
+Umask=<%= scope.lookupvar('consul::umask') %>
 ExecStart=<%= scope.lookupvar('consul::bin_dir') %>/consul agent \
   -config-dir <%= scope.lookupvar('consul::config_dir') %> <%= scope.lookupvar('consul::extra_options') %>
 ExecReload=/bin/kill -HUP $MAINPID
diff --git a/templates/consul.sysv.erb b/templates/consul.sysv.erb
index 344b8c61..5d8e2593 100644
--- a/templates/consul.sysv.erb
+++ b/templates/consul.sysv.erb
@@ -52,7 +52,7 @@ start() {
         mkrundir
         [ -f $PID_FILE ] && rm $PID_FILE
         daemon --user=<%= scope.lookupvar('consul::user') %> \
-            --pidfile="$PID_FILE" \
+            --pidfile="$PID_FILE" --umask=<%= scope.lookupvar('consul::umask') %> \
             "$CONSUL" agent -pid-file "${PID_FILE}" -config-dir "$CONFIG" <%= scope.lookupvar('consul::extra_options') %> >> "$LOG_FILE" &
         retcode=$?
         touch /var/lock/subsys/consul
diff --git a/templates/consul.upstart.erb b/templates/consul.upstart.erb
index e6446c32..e049a327 100644
--- a/templates/consul.upstart.erb
+++ b/templates/consul.upstart.erb
@@ -6,6 +6,7 @@ stop on runlevel [06]
 env CONSUL=<%= scope.lookupvar('consul::bin_dir') %>/consul
 env CONFIG=<%= scope.lookupvar('consul::config_dir') %>
 
+umask <%= scope.lookupvar('consul::umask') %>
 
 script
     # read settings like GOMAXPROCS from "/etc/default/consul", if available.