diff --git a/rwm.py b/rwm.py
index e41fcdcedd06226e8261c5dfb29d5187bf5f7bdf..b3562193960654d347568b31b7a6dcf0bc4f8ca1 100755
--- a/rwm.py
+++ b/rwm.py
@@ -713,8 +713,14 @@ def load_config(path):
     """load config dict from file"""
 
     config = {}
-    if path:
-        config = yaml.safe_load(Path(path).read_text(encoding='utf-8'))
+    try:
+        config_path = Path(path)
+        config_perms = config_path.stat().st_mode & 0o777
+        if config_perms != 0o600:
+            logger.warning(f"config file permissions ({config_perms:o}) are too-open")
+        config = yaml.safe_load(config_path.read_text(encoding='utf-8'))
+    except (OSError, ValueError) as exc:
+        logger.error(f"cannot load config file, {exc}")
     logger.debug("config, %s", config)
     return config
 
@@ -725,7 +731,9 @@ def main(argv=None):  # pylint: disable=too-many-branches
     args = parse_arguments(argv)
     configure_logging(args.debug)
 
-    rwmi = RWM(load_config(args.config))
+    if not (config_dict := load_config(args.config)):
+        return 1
+    rwmi = RWM(config_dict)
     ret = -1
 
     if args.command == "version":
diff --git a/tests/test_default.py b/tests/test_default.py
index 9f19cc56283b51744804ac6af26c426bfe6151e2..7b69848b9f706cfb24da1789a5e2281a181ff2de 100644
--- a/tests/test_default.py
+++ b/tests/test_default.py
@@ -70,3 +70,6 @@ def test_main():
 
     with patch.object(rwm.RWM, "storage_restore_state", mock_ok):
         assert _rwm_minconfig(["storage-restore-state", "bucket", "bucket", "state"]) == 0
+
+    # error handling
+    assert rwm_main(["--config", "notexist", "version"]) == 1