diff --git a/pkg/storage/utils/decomposedfs/decomposedfs.go b/pkg/storage/utils/decomposedfs/decomposedfs.go
index 0b683400bd..398e861419 100644
--- a/pkg/storage/utils/decomposedfs/decomposedfs.go
+++ b/pkg/storage/utils/decomposedfs/decomposedfs.go
@@ -115,7 +115,7 @@ func NewDefault(m map[string]interface{}, bs tree.Blobstore) (storage.FS, error)
 
 	tp := tree.New(o.Root, o.TreeTimeAccounting, o.TreeSizeAccounting, lu, bs)
 
-	permissionsClient, err := pool.GetPermissionsClient(o.PermissionsSVC)
+	permissionsClient, err := pool.GetPermissionsClient(o.PermissionsSVC, pool.WithTLSMode(o.PermTLSMode))
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/storage/utils/decomposedfs/options/options.go b/pkg/storage/utils/decomposedfs/options/options.go
index 16811837a7..e5b1b7aa09 100644
--- a/pkg/storage/utils/decomposedfs/options/options.go
+++ b/pkg/storage/utils/decomposedfs/options/options.go
@@ -22,6 +22,8 @@ import (
 	"path/filepath"
 	"strings"
 
+	"github.com/cs3org/reva/v2/pkg/rgrpc/todo/pool"
+	"github.com/cs3org/reva/v2/pkg/sharedconf"
 	"github.com/mitchellh/mapstructure"
 	"github.com/pkg/errors"
 )
@@ -47,7 +49,9 @@ type Options struct {
 	TreeSizeAccounting bool `mapstructure:"treesize_accounting"`
 
 	// permissions service to use when checking permissions
-	PermissionsSVC string `mapstructure:"permissionssvc"`
+	PermissionsSVC           string `mapstructure:"permissionssvc"`
+	PermissionsClientTLSMode string `mapstructure:"permissionssvc_tls_mode"`
+	PermTLSMode              pool.TLSMode
 
 	PersonalSpaceAliasTemplate string `mapstructure:"personalspacealias_template"`
 	GeneralSpaceAliasTemplate  string `mapstructure:"generalspacealias_template"`
@@ -84,5 +88,20 @@ func New(m map[string]interface{}) (*Options, error) {
 		o.GeneralSpaceAliasTemplate = "{{.SpaceType}}/{{.SpaceName | replace \" \" \"-\" | lower}}"
 	}
 
+	if o.PermissionsClientTLSMode != "" {
+		var err error
+		o.PermTLSMode, err = pool.StringToTLSMode(o.PermissionsClientTLSMode)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		sharedOpt := sharedconf.GRPCClientOptions()
+		var err error
+
+		if o.PermTLSMode, err = pool.StringToTLSMode(sharedOpt.TLSMode); err != nil {
+			return nil, err
+		}
+	}
+
 	return o, nil
 }