diff --git a/proxmox-acme-api/src/init.rs b/proxmox-acme-api/src/init.rs
index b23e49ea..a5287a8e 100644
--- a/proxmox-acme-api/src/init.rs
+++ b/proxmox-acme-api/src/init.rs
@@ -23,8 +23,8 @@ pub fn init<P: AsRef<Path>>(acme_config_dir: P, create_subdirs: bool) -> Result<
     }
 
     if create_subdirs {
-        create_secret_dir(self::acme_config_dir())?;
-        create_secret_dir(acme_account_dir())?;
+        create_secret_dir(self::acme_config_dir(), false)?;
+        create_secret_dir(acme_account_dir(), false)?;
     }
 
     Ok(())
diff --git a/proxmox-product-config/src/filesystem_helpers.rs b/proxmox-product-config/src/filesystem_helpers.rs
index 1a12304a..9aa8b1a4 100644
--- a/proxmox-product-config/src/filesystem_helpers.rs
+++ b/proxmox-product-config/src/filesystem_helpers.rs
@@ -3,7 +3,6 @@ use std::path::Path;
 use anyhow::Error;
 use nix::sys::stat::Mode;
 
-use proxmox_sys::error::SysError;
 use proxmox_sys::fs::CreateOptions;
 
 use super::{get_api_user, get_priv_user};
@@ -91,14 +90,11 @@ pub fn replace_secret_config<P: AsRef<Path>>(path: P, data: &[u8]) -> Result<(),
 
 /// Creates a directory owned by `priv_user.uid:priv_user.gid` with permission `0700`.
 ///
-/// Simply returns Ok if the directory already exists.
-pub fn create_secret_dir<P: AsRef<Path>>(dir: P) -> Result<(), Error> {
+/// Simply returns Ok if the directory already exists. Directory permissions are verified
+/// and raise an error if enforce_permissions is set.
+pub fn create_secret_dir<P: AsRef<Path>>(dir: P, enforce_permissions: bool) -> Result<(), Error> {
     let options = secret_create_options().perm(Mode::from_bits_truncate(0o700));
-    match proxmox_sys::fs::create_dir(dir, options) {
-        Ok(()) => Ok(()),
-        Err(err) if err.already_exists() => Ok(()),
-        Err(err) => Err(err.into()),
-    }
+    proxmox_sys::fs::ensure_dir_exists(dir, &options, enforce_permissions)
 }
 
 /// Atomically write data to file owned by `root:root` with permission `0644`.
diff --git a/proxmox-sys/src/fs/dir.rs b/proxmox-sys/src/fs/dir.rs
index a3c6b3a9..6a5ad4d9 100644
--- a/proxmox-sys/src/fs/dir.rs
+++ b/proxmox-sys/src/fs/dir.rs
@@ -14,7 +14,7 @@ use crate::fs::{fchown, CreateOptions};
 /// Creates directory at the provided path with specified ownership.
 ///
 /// Errors if the directory already exists.
-pub fn create_dir<P: AsRef<Path>>(path: P, options: CreateOptions) -> Result<(), nix::Error> {
+pub fn create_dir<P: AsRef<Path>>(path: P, options: CreateOptions) -> Result<(), Error> {
     // clippy bug?: from_bits_truncate is actually a const fn...
     #[allow(clippy::or_fun_call)]
     let mode: stat::Mode = options
@@ -22,8 +22,12 @@ pub fn create_dir<P: AsRef<Path>>(path: P, options: CreateOptions) -> Result<(),
         .unwrap_or(stat::Mode::from_bits_truncate(0o750));
 
     let path = path.as_ref();
-    nix::unistd::mkdir(path, mode)?;
-    unistd::chown(path, options.owner, options.group)?;
+
+    nix::unistd::mkdir(path, mode)
+        .map_err(|err| format_err!("unable to create directory {path:?} - {err}"))?;
+
+    unistd::chown(path, options.owner, options.group)
+        .map_err(|err| format_err!("unable to set ownership for directory {path:?} - {err}"))?;
 
     Ok(())
 }
@@ -66,7 +70,7 @@ pub fn ensure_dir_exists<P: AsRef<Path>>(
     nix::sys::stat::fchmod(fd.as_raw_fd(), mode)
         .map_err(|err| format_err!("unable to set mode for directory {path:?} - {err}"))?;
     nix::unistd::fchown(fd.as_raw_fd(), uid, gid)
-        .map_err(|err| format_err!("unable to set ownership directory {path:?} - {err}"))?;
+        .map_err(|err| format_err!("unable to set ownership for directory {path:?} - {err}"))?;
 
     Ok(())
 }