diff --git a/sys/man/4/keyfs b/sys/man/4/keyfs
index cbb93beaf..960598f86 100644
--- a/sys/man/4/keyfs
+++ b/sys/man/4/keyfs
@@ -14,6 +14,9 @@ keyfs, warning \- authentication database files
 .BI -m mntpt
 ]
 [
+.B -r
+]
+[
 .I keyfile
 ]
 .PP
@@ -84,6 +87,10 @@ If any changes are made to the database that affect the information stored in
 .IR keyfile ,
 a new version of the file is written.
 .PP
+If the
+.B -r
+option is given, the database is mounted `read-only' and no changes are permitted.
+.PP
 There are two authentication databases,
 one for Plan 9 user information,
 and one for SecureNet user information.
diff --git a/sys/src/cmd/auth/keyfs.c b/sys/src/cmd/auth/keyfs.c
index c32135df9..efab7e4c0 100644
--- a/sys/src/cmd/auth/keyfs.c
+++ b/sys/src/cmd/auth/keyfs.c
@@ -92,6 +92,7 @@ int	nuser;
 ulong	uniq = 1;
 Fcall	rhdr, thdr;
 int	usepass;
+int	readonly;
 char	*warnarg;
 uchar	mdata[8192 + IOHDRSZ];
 int	messagesize = sizeof mdata;
@@ -137,7 +138,7 @@ char 	*(*fcalls[])(Fid*) = {
 static void
 usage(void)
 {
-	fprint(2, "usage: %s [-p] [-m mtpt] [-w warn] [keyfile]\n", argv0);
+	fprint(2, "usage: %s [-p] [-r] [-m mtpt] [-w warn] [keyfile]\n", argv0);
 	exits("usage");
 }
 
@@ -165,6 +166,9 @@ main(int argc, char *argv[])
 	case 'w':
 		warnarg = EARGF(usage());
 		break;
+	case 'r':
+		readonly = 1;
+		break;
 	default:
 		usage();
 		break;
@@ -390,6 +394,8 @@ Create(Fid *f)
 
 	if(!f->busy)
 		return "create of unused fid";
+	if(readonly)
+		return "mounted read-only";
 	name = rhdr.name;
 	if(f->user != nil){
 		return "permission denied";
@@ -531,6 +537,8 @@ Write(Fid *f)
 
 	if(!f->busy)
 		return "permission denied";
+	if(readonly)
+		return "mounted read-only";
 	n = rhdr.count;
 	data = rhdr.data;
 	switch(f->qtype){
@@ -613,6 +621,10 @@ Remove(Fid *f)
 {
 	if(!f->busy)
 		return "permission denied";
+	if(readonly){
+		Clunk(f);
+		return "mounted read-only";
+	}
 	if(f->qtype == Qwarnings)
 		f->user->warnings = 0;
 	else if(f->qtype == Quser)
@@ -649,6 +661,8 @@ Wstat(Fid *f)
 
 	if(!f->busy || f->qtype != Quser)
 		return "permission denied";
+	if(readonly)
+		return "mounted read-only";
 	if(rhdr.nstat > sizeof buf)
 		return "wstat buffer too big";
 	if(convM2D(rhdr.stat, rhdr.nstat, &d, buf) == 0)
@@ -712,6 +726,11 @@ writeusers(void)
 	uchar *p, *buf;
 	ulong expire;
 
+	if(readonly){
+		fprint(2, "writeusers called while read-only; shouldn't happen\n");
+		return;
+	}
+
 	/* what format to use */
 	keydblen = KEYDBLEN;
 	keydboff = KEYDBOFF;