Update SECURITY.md

SECURITY.md

@@ -1,3 +1,4 @@
+# Retired since v2.3.0, replaced by NPF-SEC-00007
 # NPF-SEC-00001: SECURITY-ADMIN-BACKUP-PASSWORD ONLY AVAILABLE ON PRIVATE COMPILED BUILDS
 
 In gui.config we have a function that allows to show unencrypted values of the yaml config file
@@ -7,6 +8,7 @@ While this is practical, it should never be allowed on non compiled builds or wi
 
 All these commands are run with npbackup held privileges.
 In order to avoid a potential attack, the config file has to be world readable only.
+We need to document this, and perhaps add a line in installer script
 
 # NPF-SEC-00003: Avoid password command divulgation
 
@@ -23,3 +25,17 @@ This will prevent local backups, so we need to think of a better zero knowledge
 
 Since viewer mode requires actual knowledge of repo URI and repo password, there's no need to manage local permissions.
 Viewer mode permissions are set to "restore".
+
+# NPF-SEC-00006: Never inject permissions if some are already present
+
+Since v2.3.0, we insert permissions directly into the encrypted repo URI.
+Hence, update permissions should only happen in two cases:
+- CLI: Recreate repo_uri entry and add permission field from YAML file
+- GUI: Enter permission password to update permissions
+
+# NPF-SEC-00007: Encrypted data needs to be protected
+
+Since encryption is symmetric, we need to protect our sensible data.
+Best ways:
+- Compile with alternative aes-key
+- Use --aes-key with alternative aes-key which is protected by system