diff --git a/salt/common/init.sls b/salt/common/init.sls
index b0289ed32..870ae177f 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -231,6 +231,15 @@ commonlogrotateconf:
     - dayweek: '*'
 
 {% if role in ['eval', 'manager', 'managersearch', 'standalone'] %}
+# Lock permissions on the backup directory
+backupdir:
+  file.directory:
+    - name: /nsm/backup
+    - user: 0
+    - group: 0
+    - makedirs: True
+    - mode: 700
+  
 # Add config backup
 /usr/sbin/so-config-backup > /dev/null 2>&1:
   cron.present:
@@ -286,4 +295,4 @@ dockerreserveports:
   test.fail_without_changes:
     - name: {{sls}}_state_not_allowed
 
-{% endif %}
\ No newline at end of file
+{% endif %}
diff --git a/salt/common/tools/sbin/so-config-backup b/salt/common/tools/sbin/so-config-backup
index dc8dc55a2..f68417c6a 100755
--- a/salt/common/tools/sbin/so-config-backup
+++ b/salt/common/tools/sbin/so-config-backup
@@ -33,6 +33,8 @@ if [ ! -f $BACKUPFILE ]; then
   {%- for LOCATION in BACKUPLOCATIONS %}
   tar -rf $BACKUPFILE {{ LOCATION }}
   {%- endfor %}
+  tar -rf $BACKUPFILE /etc/pki
+  tar -rf $BACKUPFILE /etc/salt
 
 fi