diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index fa31954616b2178b7a13ee07bfb30712bfa50ce3..ed1e0e5029255ce4e1e9b663be6fdfd6d187b5d9 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -504,11 +504,13 @@ qemuDomainGetMasterKeyFilePath(const char *libDir)
  * Returns 0 on success, -1 on failure with error message indicating failure
  */
 static int
-qemuDomainWriteMasterKeyFile(qemuDomainObjPrivatePtr priv)
+qemuDomainWriteMasterKeyFile(virQEMUDriverPtr driver,
+                             virDomainObjPtr vm)
 {
     char *path;
     int fd = -1;
     int ret = -1;
+    qemuDomainObjPrivatePtr priv = vm->privateData;
 
     if (!(path = qemuDomainGetMasterKeyFilePath(priv->libDir)))
         return -1;
@@ -525,6 +527,10 @@ qemuDomainWriteMasterKeyFile(qemuDomainObjPrivatePtr priv)
         goto cleanup;
     }
 
+    if (virSecurityManagerDomainSetDirLabel(driver->securityManager,
+                                            vm->def, path) < 0)
+        goto cleanup;
+
     ret = 0;
 
  cleanup:
@@ -697,8 +703,11 @@ qemuDomainMasterKeyRemove(qemuDomainObjPrivatePtr priv)
  * Returns: 0 on success, -1 w/ error message on failure
  */
 int
-qemuDomainMasterKeyCreate(qemuDomainObjPrivatePtr priv)
+qemuDomainMasterKeyCreate(virQEMUDriverPtr driver,
+                          virDomainObjPtr vm)
 {
+    qemuDomainObjPrivatePtr priv = vm->privateData;
+
     /* If we don't have the capability, then do nothing. */
     if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_OBJECT_SECRET))
         return 0;
@@ -709,7 +718,7 @@ qemuDomainMasterKeyCreate(qemuDomainObjPrivatePtr priv)
 
     priv->masterKeyLen = QEMU_DOMAIN_MASTER_KEY_LEN;
 
-    if (qemuDomainWriteMasterKeyFile(priv) < 0)
+    if (qemuDomainWriteMasterKeyFile(driver, vm) < 0)
         goto error;
 
     return 0;
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index d8d57d32df5d90585ce76372a3ec3f3a71801597..7d2c4fd92ae4ed42c9f49177a80596d9754ae4f5 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -584,7 +584,8 @@ char *qemuDomainGetMasterKeyFilePath(const char *libDir);
 
 int qemuDomainMasterKeyReadFile(qemuDomainObjPrivatePtr priv);
 
-int qemuDomainMasterKeyCreate(qemuDomainObjPrivatePtr priv);
+int qemuDomainMasterKeyCreate(virQEMUDriverPtr driver,
+                              virDomainObjPtr vm);
 
 void qemuDomainMasterKeyRemove(qemuDomainObjPrivatePtr priv);
 
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 3da23ce3d8e31e8de3bc21337491515e8e7ffef8..81d86c2d1aa27bdf62e771233733ad5d1b234707 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -5213,7 +5213,7 @@ qemuProcessPrepareHost(virQEMUDriverPtr driver,
         goto cleanup;
 
     VIR_DEBUG("Create domain masterKey");
-    if (qemuDomainMasterKeyCreate(priv) < 0)
+    if (qemuDomainMasterKeyCreate(driver, vm) < 0)
         goto cleanup;
 
     ret = 0;