diff --git a/src/nm-core-utils.c b/src/nm-core-utils.c
index 4b266ed563..9697b9bc38 100644
--- a/src/nm-core-utils.c
+++ b/src/nm-core-utils.c
@@ -2820,7 +2820,7 @@ nm_utils_secret_key_read (gsize *out_key_len, GError **error)
 		/* RFC7217 mandates the key SHOULD be at least 128 bits.
 		 * Let's use twice as much. */
 		key_len = 32;
-		secret_key = g_malloc (key_len);
+		secret_key = g_malloc (key_len + 1);
 
 		if (!nm_utils_random_bytes (secret_key, key_len)) {
 			g_set_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_UNKNOWN,
@@ -2829,6 +2829,10 @@ nm_utils_secret_key_read (gsize *out_key_len, GError **error)
 			goto out;
 		}
 
+		/* the secret-key is binary. Still, ensure that it's NULL terminated, just like
+		 * g_file_set_contents() does. */
+		secret_key[32] = '\0';
+
 		key_mask = umask (0077);
 		if (!g_file_set_contents (NMSTATEDIR "/secret_key", (char *) secret_key, key_len, error)) {
 			g_prefix_error (error, "Can't write " NMSTATEDIR "/secret_key: ");