diff --git a/src/security/secrets.rs b/src/security/secrets.rs
index 99cfe9e..b07fe1e 100644
--- a/src/security/secrets.rs
+++ b/src/security/secrets.rs
@@ -191,14 +191,34 @@ impl SecretStore {
             #[cfg(windows)]
             {
                 // On Windows, use icacls to restrict permissions to current user only
-                let _ = std::process::Command::new("icacls")
+                let username = std::env::var("USERNAME").unwrap_or_default();
+                let Some(grant_arg) = build_windows_icacls_grant_arg(&username) else {
+                    tracing::warn!(
+                        "USERNAME environment variable is empty; \
+                         cannot restrict key file permissions via icacls"
+                    );
+                    return Ok(key);
+                };
+
+                match std::process::Command::new("icacls")
                     .arg(&self.key_path)
                     .args(["/inheritance:r", "/grant:r"])
-                    .arg(format!(
-                        "{}:F",
-                        std::env::var("USERNAME").unwrap_or_default()
-                    ))
-                    .output();
+                    .arg(grant_arg)
+                    .output()
+                {
+                    Ok(o) if !o.status.success() => {
+                        tracing::warn!(
+                            "Failed to set key file permissions via icacls (exit code {:?})",
+                            o.status.code()
+                        );
+                    }
+                    Err(e) => {
+                        tracing::warn!("Could not set key file permissions: {e}");
+                    }
+                    _ => {
+                        tracing::debug!("Key file permissions restricted via icacls");
+                    }
+                }
             }
 
             Ok(key)
@@ -239,6 +259,16 @@ fn hex_encode(data: &[u8]) -> String {
     s
 }
 
+/// Build the `/grant` argument for `icacls` using a normalized username.
+/// Returns `None` when the username is empty or whitespace-only.
+fn build_windows_icacls_grant_arg(username: &str) -> Option<String> {
+    let normalized = username.trim();
+    if normalized.is_empty() {
+        return None;
+    }
+    Some(format!("{normalized}:F"))
+}
+
 /// Hex-decode a hex string to bytes.
 #[allow(clippy::manual_is_multiple_of)]
 fn hex_decode(hex: &str) -> Result<Vec<u8>> {
@@ -733,6 +763,28 @@ mod tests {
         assert!(hex_decode("zzzz").is_err());
     }
 
+    #[test]
+    fn windows_icacls_grant_arg_rejects_empty_username() {
+        assert_eq!(build_windows_icacls_grant_arg(""), None);
+        assert_eq!(build_windows_icacls_grant_arg("   \t\n"), None);
+    }
+
+    #[test]
+    fn windows_icacls_grant_arg_trims_username() {
+        assert_eq!(
+            build_windows_icacls_grant_arg("  alice  "),
+            Some("alice:F".to_string())
+        );
+    }
+
+    #[test]
+    fn windows_icacls_grant_arg_preserves_valid_characters() {
+        assert_eq!(
+            build_windows_icacls_grant_arg("DOMAIN\\svc-user"),
+            Some("DOMAIN\\svc-user:F".to_string())
+        );
+    }
+
     #[test]
     fn generate_random_key_correct_length() {
         let key = generate_random_key();