From 278e26bf22011ae102468c670134b9a08227c459 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sun, 15 Mar 2020 00:16:21 -0400
Subject: [PATCH] document persistently encrypting/decrypting keys

---
 static/build.html | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/static/build.html b/static/build.html
index 0be5077d..8d1122a4 100644
--- a/static/build.html
+++ b/static/build.html
@@ -459,6 +459,19 @@ cd ../..</pre>
             <pre>cd keys/crosshatch
 ../../development/tools/make_key networkstack '/CN=GrapheneOS/'</pre>
 
+            <h3 id="encrypting-keys">
+                <a href="#encrypting-keys">Encrypting keys</a>
+            </h3>
+
+            <p>You can (re-)encrypt your signing keys using the <code>encrypt_keys</code> script,
+            which will prompt for the old passphrase (if any) and new passphrase:</p>
+
+            <pre>script/encrypt_keys.sh keys/crosshatch</pre>
+
+            <p>The <code>script/decrypt_keys.sh</code> script can be used to remove encryption,
+            which is not recommended. The script exists primarily for internal usage to decrypt
+            the keys in tmpfs to perform signing.</p>
+
             <h3 id="enabling-updatable-apex-components">
                 <a href="#enabling-updatable-apex-components">Enabling updatable APEX components</a>
             </h3>