1 files changed, 12 insertions, 0 deletions

diff --git a/docs/ops.md b/docs/ops.md
index 4dfec49..a622c04 100644
--- a/docs/ops.md
+++ b/docs/ops.md
@@ -9,3 +9,15 @@ To avoid destroying backups that may still be needed, `pilcrow` will not start i
 - Start the server with **a copy** of the backup database, and determine if any data has been lost. If not, shut it down, replace your main database by copying the backup, and carry on.
 
 The `pilcrow` database is an ordinary file. While the server is not running, it can be freely copied or renamed without invalidating the data in it.
+
+## Permissions
+
+The Pilcrow database (`pilcrow.db` by default) should have restricted permissions, as it contains data that is either confidential (such as users' conversations), sensitive (such as the service's configuration), or both. At minimum, it should not be world-readable on the server where Pilcrow is installed.
+
+By default, the `pilcrow` command will set the process' umask to a value that prevents the creation of world-readable or world-writeable files, so that the Pilcrow database will be created with appropriate filesystem permissions. This behaviour can be controlled using the `--umask` startup option, which takes the following values:
+
+- `masked`, the default, which takes the inherited umask and additionally sets the world-readable, world-writeable, and world-executable bits;
+- `inherit`, which takes the inherited umask as-is, requiring the operator to set a sensible value here; or
+- any octal value corresponding to a valid umask, such as `0027`.
+
+Pilcrow does not check or change the permissions of the database after creation. Changing the umask of the server after the database has been created has no effect on the database's filesystem permissions.