diff --git a/how-about-the-private-key-access-modes,--chmod,-or-chown-or-umask-?.md b/how-about-the-private-key-access-modes,--chmod,-or-chown-or-umask-?.md
new file mode 100644
index 0000000..a60a776
--- /dev/null
+++ b/how-about-the-private-key-access-modes,--chmod,-or-chown-or-umask-?.md
@@ -0,0 +1,24 @@
+# How acme.sh deals with the private key file modes ?
+
+A short answer is:  we deal with the file permission as little as possible.
+
+A shorter answer is: we almost don't change the file permissions, you set it yourself, and it will keep forever.
+
+Ok, let me give a longer answer:
+
+1. By default, the key/cert files are saved in `~/.acme.sh`,  this folder is set to mode `700` by default. So, nobody else can read your private key.
+2. When you use `--install-cert` command to **copy** the cert to the target locations,  we use `cat keyfile > target_key_file` pattern, in which the target file permission is not changed, and you only need **write** permission to the target file.
+Yes, if the target file doesn't exist for the first time,  it will be created with your default *umask*, which is **umask 022** in most of the unix/linux systems.  In this case, somebody else *may* read your private key file.  But you can change the file mode manually, `chmod 700 target_key_file`. 
+The reason why we don't change the file mode is:  
+  1. `chmod` may have different support crossing different platforms.  
+  2. We respect the users choice most. We trust you more than ourselves.  you can change the file modes manually, you know your system best. We respect your choice.
+  3. There may cause problems if running as root, for example, when running as root, and we default to change the mode to `700` for the private key file,  the apache server is commonly running as user `www-data`, it can not read your private key. nginx server has the same problem.  Which could cause the normal uses confused.
+
+
+So, doing more doesn't mean doing better.   Less is more.
+
+
+
+
+
+