diff --git a/libfwupdplugin/fu-plugin.c b/libfwupdplugin/fu-plugin.c
index c7b53712e..c7662c4b8 100644
--- a/libfwupdplugin/fu-plugin.c
+++ b/libfwupdplugin/fu-plugin.c
@@ -10,6 +10,7 @@
 
 #include <errno.h>
 #include <fwupd.h>
+#include <glib/gstdio.h>
 #include <gmodule.h>
 #include <string.h>
 #include <unistd.h>
@@ -2260,6 +2261,49 @@ fu_plugin_set_config_value(FuPlugin *self, const gchar *key, const gchar *value,
 	return g_key_file_save_to_file(keyfile, conf_path, error);
 }
 
+/**
+ * fu_plugin_set_secure_config_value:
+ * @self: a #FuPlugin
+ * @key: a settings key
+ * @value: (nullable): a settings value
+ * @error: (nullable): optional return location for an error
+ *
+ * Sets a plugin config file value and updates file so that non-privileged users
+ * cannot read it.
+ *
+ * Returns: %TRUE for success
+ *
+ * Since: 1.7.4
+ **/
+gboolean
+fu_plugin_set_secure_config_value(FuPlugin *self,
+				  const gchar *key,
+				  const gchar *value,
+				  GError **error)
+{
+	g_autofree gchar *conf_path = fu_plugin_get_config_filename(self);
+	gint ret;
+
+	g_return_val_if_fail(FU_IS_PLUGIN(self), FALSE);
+	g_return_val_if_fail(error == NULL || *error == NULL, FALSE);
+
+	if (!g_file_test(conf_path, G_FILE_TEST_EXISTS)) {
+		g_set_error(error, FWUPD_ERROR, FWUPD_ERROR_NOT_FOUND, "%s is missing", conf_path);
+		return FALSE;
+	}
+	ret = g_chmod(conf_path, 0660);
+	if (ret == -1) {
+		g_set_error(error,
+			    FWUPD_ERROR,
+			    FWUPD_ERROR_INTERNAL,
+			    "failed to set permissions on %s",
+			    conf_path);
+		return FALSE;
+	}
+
+	return fu_plugin_set_config_value(self, key, value, error);
+}
+
 /**
  * fu_plugin_get_config_value_boolean:
  * @self: a #FuPlugin
diff --git a/libfwupdplugin/fu-plugin.h b/libfwupdplugin/fu-plugin.h
index eeffec2eb..13d4a43ce 100644
--- a/libfwupdplugin/fu-plugin.h
+++ b/libfwupdplugin/fu-plugin.h
@@ -434,6 +434,11 @@ fu_plugin_add_report_metadata(FuPlugin *self, const gchar *key, const gchar *val
 gchar *
 fu_plugin_get_config_value(FuPlugin *self, const gchar *key);
 gboolean
+fu_plugin_set_secure_config_value(FuPlugin *self,
+				  const gchar *key,
+				  const gchar *value,
+				  GError **error);
+gboolean
 fu_plugin_get_config_value_boolean(FuPlugin *self, const gchar *key);
 gboolean
 fu_plugin_set_config_value(FuPlugin *self, const gchar *key, const gchar *value, GError **error);
diff --git a/libfwupdplugin/fwupdplugin.map b/libfwupdplugin/fwupdplugin.map
index d80d380af..052d95f98 100644
--- a/libfwupdplugin/fwupdplugin.map
+++ b/libfwupdplugin/fwupdplugin.map
@@ -984,5 +984,6 @@ LIBFWUPDPLUGIN_1.7.4 {
     fu_cfi_device_set_block_size;
     fu_common_get_contents_stream;
     fu_memmem_safe;
+    fu_plugin_set_secure_config_value;
   local: *;
 } LIBFWUPDPLUGIN_1.7.3;