diff --git a/README.md b/README.md
index 50c042be..78829e1f 100644
--- a/README.md
+++ b/README.md
@@ -197,6 +197,12 @@ $ sudo docker rm subspace
 $ sudo docker create ... (see above)
 ```
 
+### Security
+
+Subspace generates a public private keypair for each user and stores them on the server in a file. Anyone with sudo access to the subspace server can therefore read other peoples keys.
+
+To mitigate this you can add the cron in etc/cron.d/subspace which will delete the private keys after they are generated. That does mean the user will have to regenerate a key if they lose their current one.
+
 ## Contributors ✨
 
 Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
diff --git a/etc/cron.d/subspace b/etc/cron.d/subspace
new file mode 100644
index 00000000..83842df2
--- /dev/null
+++ b/etc/cron.d/subspace
@@ -0,0 +1,3 @@
+# don't store private keys on the subspace server once they're generated and make sure our config in general is not world readable
+*/10 * * * * root chmod 640 /data/config.json; chmod -R 750 /data/wireguard; perl -pi -e 's/PrivateKey = .*/PrivateKey = YOU MUST MAKE A NEW PROFILE IF YOU LOST YOUR KEY/' /data/wireguard/client/*.conf
+