In gui.config we have a function that allows to show unencrypted values of the yaml config file While this is practical, it should never be allowed on non compiled builds or with the default backup admin password
All these commands are run with npbackup held privileges. In order to avoid a potential attack, the config file has to be world readable only.
Password command is encrypted in order to avoid it's divulgation if config file is world readable. Password command is also not logged.
Partially covered with password_command feature. We should have a central password server that holds repo passwords, so password is never actually stored in config. This will prevent local backups, so we need to think of a better zero knowledge strategy here.