diff --git a/meson.build b/meson.build
index 496ca70ecc..97622b6d97 100644
--- a/meson.build
+++ b/meson.build
@@ -208,6 +208,7 @@ catalogstatedir = systemdstatedir / 'catalog'
 randomseeddir = localstatedir / 'lib/systemd'
 profiledir = rootlibexecdir / 'portable' / 'profile'
 ntpservicelistdir = rootprefixdir / 'lib/systemd/ntp-units.d'
+credstoredir = prefixdir / 'lib/credstore'
 
 docdir = get_option('docdir')
 if docdir == ''
@@ -709,6 +710,7 @@ find = find_program('find')
 meson_make_symlink = project_source_root + '/tools/meson-make-symlink.sh'
 
 mkdir_p = 'mkdir -p $DESTDIR/@0@'
+mkdir_p_mode = 'mkdir -p $DESTDIR/@0@ -m @1@'
 
 # If -Dxxx-path option is found, use that. Otherwise, check in $PATH,
 # /usr/sbin, /sbin, and fall back to the default from middle column.
@@ -3844,6 +3846,14 @@ public_programs += executable(
         install : true,
         install_dir : rootbindir)
 
+# Protecting files from the distro in /usr doesn't make sense since they can be trivially accessed otherwise,
+# so don't restrict the access mode in /usr. That doesn't apply to /etc, so we do restrict the access mode
+# there.
+meson.add_install_script('sh', '-c', mkdir_p.format(credstoredir))
+if install_sysconfdir
+        meson.add_install_script('sh', '-c', mkdir_p_mode.format(sysconfdir / 'credstore', '0700'))
+endif
+
 executable(
         'systemd-volatile-root',
         'src/volatile-root/volatile-root.c',