diff --git a/man/NetworkManager.conf.xml b/man/NetworkManager.conf.xml
index d9d5afcf96..248d6fb8d2 100644
--- a/man/NetworkManager.conf.xml
+++ b/man/NetworkManager.conf.xml
@@ -1134,10 +1134,12 @@ enable=nm-version-min:1.3,nm-version-min:1.2.6,nm-version-min:1.0.16
/etc/NetworkManager/system-connections.
- The stored connection file may contain passwords and
- private keys, so it will be made readable only to root,
- and the plugin will ignore files that are readable or
- writable by any user or group other than root.
+ The stored connection file may contain passwords, secrets and
+ private keys in plain text, so it will be made readable only to
+ root, and the plugin will ignore files that are readable or
+ writable by any user or group other than root. See "Secret flag types"
+ in nm-settings5
+ for how to avoid storing passwords in plain text.
This plugin is always active, and will automatically be
diff --git a/man/nm-settings.xsl b/man/nm-settings.xsl
index 36fb82885f..57d5ce41cf 100644
--- a/man/nm-settings.xsl
+++ b/man/nm-settings.xsl
@@ -87,13 +87,18 @@
Secret flag types:
- Each secret property in a setting has an associated flags property
+ Each password or secret property in a setting has an associated flags property
that describes how to handle that secret. The flags property is a bitfield
that contains zero or more of the following values logically OR-ed together.
- 0x0 (none) - the system is responsible for providing and storing this secret.
+ 0x0 (none) - the system is responsible for providing and storing this secret. This
+ may be required so that secrets are already available before the user logs in.
+ It also commonly means that the secret will be stored in plain text on disk, accessible
+ to root only. For example via the keyfile settings plugin as described in the "PLUGINS" section
+ in NetworkManager.conf5.
+ 0x1 (agent-owned) - a user-session secret agent is responsible for providing and storing