From 56582135f13fd26394d390d0ffe1385d1915080d Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sat, 14 Mar 2020 23:37:48 -0400
Subject: [PATCH] OS signing key encryption is properly supported

---
 static/build.html | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/static/build.html b/static/build.html
index 0fe4ceb9..c54d2aa0 100644
--- a/static/build.html
+++ b/static/build.html
@@ -425,9 +425,9 @@ mv vendor/android-prepare-vendor/DEVICE/BUILD_ID/vendor/google_devices/* vendor/
             factory reset. Note that the keys are used for a lot more than simply verifying
             updates and verified boot.</p>
 
-            <p>The keys should not be given passwords due to limitations in the upstream scripts.
-            If you want to secure them at rest, you should take a different approach where they
-            can still be available to the signing scripts as a directory of unencrypted keys.</p>
+            <p>You should set a passphrase for the signing keys to protect them at rest. The
+            GrapheneOS release signing script expects the same passphrase to be used for each of
+            the keys.</p>
 
             <p>The sample certificate subject should be replaced with your own information.</p>