diff --git a/CHANGELOG.md b/CHANGELOG.md
index f6076ea4f6f2..3f15534d1d4b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -154,6 +154,7 @@ Ref: https://keepachangelog.com/en/1.0.0/
 * [#14995](https://github.com/cosmos/cosmos-sdk/pull/14995) Allow unknown fields in `ParseTypedEvent`.
 * (store) [#14931](https://github.com/cosmos/cosmos-sdk/pull/14931) Exclude in-memory KVStores, i.e. `StoreTypeMemory`, from CommitInfo commitments.
 * (types/coin) [#14739](https://github.com/cosmos/cosmos-sdk/pull/14739) Deprecate the method `Coin.IsEqual` in favour of  `Coin.Equal`. The difference between the two methods is that the first one results in a panic when denoms are not equal. This panic lead to unexpected behavior
+* (x/crypto) [#15258](https://github.com/cosmos/cosmos-sdk/pull/15258) Write keyhash file with permissions 0600 instead of 0555.
 
 ### Deprecated
 
diff --git a/crypto/keyring/keyring.go b/crypto/keyring/keyring.go
index a1e09ae4c9b3..8610cbf1473d 100644
--- a/crypto/keyring/keyring.go
+++ b/crypto/keyring/keyring.go
@@ -757,7 +757,7 @@ func newRealPrompt(dir string, buf io.Reader) func(string) (string, error) {
 				continue
 			}
 
-			if err := os.WriteFile(dir+"/keyhash", passwordHash, 0o555); err != nil {
+			if err := os.WriteFile(keyhashFilePath, passwordHash, 0o600); err != nil {
 				return "", err
 			}