diff --git a/tripleo_common/image/image_export.py b/tripleo_common/image/image_export.py
index 135e4a8e2..c71ee1c31 100644
--- a/tripleo_common/image/image_export.py
+++ b/tripleo_common/image/image_export.py
@@ -110,7 +110,9 @@ def export_stream(target_url, layer, layer_stream, verify_digest=True):
                       (image, blob_path))
 
     try:
-        with open(blob_path, 'wb') as f:
+        fd = os.open(blob_path, os.O_WRONLY | os.O_CREAT)
+        os.fchmod(fd, 0o0644)
+        with os.fdopen(fd, 'wb') as f:
             count = 0
             for chunk in layer_stream:
                 count += 1
diff --git a/tripleo_common/tests/image/test_image_export.py b/tripleo_common/tests/image/test_image_export.py
index b086bf4e9..505415c9c 100644
--- a/tripleo_common/tests/image/test_image_export.py
+++ b/tripleo_common/tests/image/test_image_export.py
@@ -90,6 +90,7 @@ class TestImageExport(base.TestCase):
         }
         calc_digest = hashlib.sha256()
         layer_stream = io.BytesIO(blob_compressed)
+        mask = os.umask(0o077)
         layer_digest, _ = image_export.export_stream(
             target_url, layer, layer_stream, verify_digest=False
         )
@@ -106,7 +107,11 @@ class TestImageExport(base.TestCase):
         with open(blob_path, 'rb') as f:
             self.assertEqual(blob_compressed, f.read())
 
-    @mock.patch('tripleo_common.image.image_export.open',
+        os.umask(mask)
+        blob_mode = oct(os.stat(blob_path).st_mode)
+        self.assertEqual('644', blob_mode[-3:])
+
+    @mock.patch('os.fdopen',
                 side_effect=MemoryError())
     def test_export_stream_memory_error(self, mock_open):
         blob_data = six.b('The Blob')