diff --git a/proxmox-product-config/src/filesystem_helpers.rs b/proxmox-product-config/src/filesystem_helpers.rs
index c5a372fa..4a7fabd4 100644
--- a/proxmox-product-config/src/filesystem_helpers.rs
+++ b/proxmox-product-config/src/filesystem_helpers.rs
@@ -3,6 +3,7 @@ use std::path::Path;
 use anyhow::Error;
 use nix::sys::stat::Mode;
 
+use proxmox_sys::error::SysError;
 use proxmox_sys::fs::CreateOptions;
 
 use super::{get_api_user, get_priv_user};
@@ -88,6 +89,18 @@ pub fn replace_secret_config<P: AsRef<Path>>(path: P, data: &[u8]) -> Result<(),
     Ok(())
 }
 
+/// Creates a directory owned by `priv_user.uid:priv_user.gid` with permission `0700`.
+///
+/// Simply returns Ok if the directory already exists.
+pub fn create_secret_dir<P: AsRef<Path>>(dir: P) -> Result<(), Error> {
+    let options = secret_create_options().perm(Mode::from_bits_truncate(0o700));
+    match proxmox_sys::fs::create_dir(dir, options) {
+        Ok(()) => Ok(()),
+        Err(err) if err.already_exists() => Ok(()),
+        Err(err) => Err(err.into()),
+    }
+}
+
 /// Atomically write data to file owned by `root:root` with permission `0644`.
 ///
 /// Everyone can read, but only the superuser can write those files. This is usually used