diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0d7e47b8..d617279a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@ This changelog adheres to [Keep a CHANGELOG](http://keepachangelog.com/).
 * Drop platform 6 fpm support
 * On all Debian platforms simplify java depends, allow 17 or 11, prefer 17
 * Add Debian 12 bookworm as a FOSS build target
+* Use systemd's PrivateTmp feature for improved security
 
 ## [2.6.1]
 * Fix the ability to add a resources directory to a project with :include-dir by copying the resources to the staging directory directly.
diff --git a/resources/puppetlabs/lein-ezbake/template/global/ext/debian/ezbake.service.erb b/resources/puppetlabs/lein-ezbake/template/global/ext/debian/ezbake.service.erb
index 1eb8afb0..72011239 100644
--- a/resources/puppetlabs/lein-ezbake/template/global/ext/debian/ezbake.service.erb
+++ b/resources/puppetlabs/lein-ezbake/template/global/ext/debian/ezbake.service.erb
@@ -27,6 +27,7 @@ TimeoutStopSec=<%= EZBake::Config[:stop_timeout] %>
 Restart=on-failure
 StartLimitBurst=5
 PIDFile=/run/puppetlabs/<%= EZBake::Config[:real_name] %>/<%= EZBake::Config[:real_name] %>.pid
+PrivateTmp=true
 
 # https://tickets.puppetlabs.com/browse/EZ-129
 # Prior to systemd v228, TasksMax was unset by default, and unlimited. Starting in 228 a default of '512'
diff --git a/resources/puppetlabs/lein-ezbake/template/global/ext/redhat/ezbake.service.erb b/resources/puppetlabs/lein-ezbake/template/global/ext/redhat/ezbake.service.erb
index 2d037fd3..2a6af137 100644
--- a/resources/puppetlabs/lein-ezbake/template/global/ext/redhat/ezbake.service.erb
+++ b/resources/puppetlabs/lein-ezbake/template/global/ext/redhat/ezbake.service.erb
@@ -27,6 +27,7 @@ TimeoutStopSec=<%= EZBake::Config[:stop_timeout] %>
 Restart=on-failure
 StartLimitBurst=5
 PIDFile=/run/puppetlabs/<%= EZBake::Config[:real_name] %>/<%= EZBake::Config[:real_name] %>.pid
+PrivateTmp=true
 
 # https://tickets.puppetlabs.com/browse/EZ-129
 # Prior to systemd v228, TasksMax was unset by default, and unlimited. Starting in 228 a default of '512'