diff --git a/src/tpm2-setup/tpm2-setup.c b/src/tpm2-setup/tpm2-setup.c
index ab5bd9bff9..43771a28ca 100644
--- a/src/tpm2-setup/tpm2-setup.c
+++ b/src/tpm2-setup/tpm2-setup.c
@@ -338,7 +338,7 @@ static int run(int argc, char *argv[]) {
         /* Write out public key (note that we only do that as a help to the user, we don't make use of this ever */
         _cleanup_(unlink_and_freep) char *t = NULL;
         _cleanup_fclose_ FILE *f = NULL;
-        r = fopen_tmpfile_linkable(pem_path, O_WRONLY, &t, &f);
+        r = fopen_tmpfile_linkable(pem_path, O_WRONLY|O_CLOEXEC, &t, &f);
         if (r < 0)
                 return log_error_errno(r, "Failed to open SRK public key file '%s' for writing: %m", pem_path);
 
@@ -365,7 +365,7 @@ static int run(int argc, char *argv[]) {
         (void) mkdir_parents(tpm2b_public_path, 0755);
 
         /* Now also write this out in TPM2B_PUBLIC format */
-        r = fopen_tmpfile_linkable(tpm2b_public_path, O_WRONLY, &t, &f);
+        r = fopen_tmpfile_linkable(tpm2b_public_path, O_WRONLY|O_CLOEXEC, &t, &f);
         if (r < 0)
                 return log_error_errno(r, "Failed to open SRK public key file '%s' for writing: %m", tpm2b_public_path);