diff --git a/setup.sh b/setup.sh
index bb38554..d582b60 100644
--- a/setup.sh
+++ b/setup.sh
@@ -361,6 +361,37 @@ function paru_install () {
     sudo --user build paru -S --noconfirm "${@}"
 }
 
+function keep_initiramfs_root_only_rw () {
+    declare systemd_local_admin_override_path unit_name
+    systemd_local_admin_override_path='/etc/systemd/system'
+    unit_name='chmod-initramfs'
+    path_unit="${systemd_local_admin_override_path%/}"'/'"${unit_name}"'.path'
+    service_unit="${systemd_local_admin_override_path%/}"'/'"${unit_name}"'.service'
+
+    cat > "${path_unit}" <<"EOF"
+[Unit]
+Description=chmod initramfs to be root-read-writable only
+
+[Path]
+PathChanged=/boot/initramfs-linux.img
+
+[Install]
+WantedBy=multi-user.target
+WantedBy=system-update.target
+EOF
+
+    cat > "${service_unit}" <<"EOF"
+[Unit]
+Description=chmod initramfs to be root-read-writable only
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/chmod 600 /boot/initramfs-linux.img
+EOF
+
+    systemctl enable --now "${path_unit}"
+}
+
 function install_os_in_chroot () {
     ### Reinit keyring
     # As keyring is initialized at boot, and copied to the install dir with pacstrap, and ntp is running
@@ -376,6 +407,7 @@ function install_os_in_chroot () {
     hwclock --systohc
     locale-gen
     source /etc/locale.conf
+    keep_initiramfs_root_only_rw
     mkinitcpio -P
 
     # Install ZFSBootMenu and deps