diff --git a/bootloaders/encrypted/README.md b/bootloaders/encrypted/README.md
index f079d9469..580e35a20 100644
--- a/bootloaders/encrypted/README.md
+++ b/bootloaders/encrypted/README.md
@@ -4,12 +4,21 @@ Replace private.pem and privateaes.bin with your own keys - your signing key mus
 openssl ecparam -name secp256k1 -genkey -out private.pem
 ```
 
-The AES key is just be a 32 byte binary file - you can create one with
+The AES key is just a 32 byte binary file - you can create one with:
 
 ```bash
 dd if=/dev/urandom of=privateaes.bin bs=1 count=32
 ```
 
+You will need to program your OTP using the generated `otp.json` file generated by the build in your build folder
+NOTE: This will enable secure boot on your device, so only correctly signed binaries can then run, and will also lock down the OTP page the AES key is stored in. 
+If you wish to test without enabling secure boot, you can load the `otp.json` file in the source folder ([otp.json](otp.json)) instead which will just program the AES key and lock down that OTP page.
+```bash
+picotool otp load otp.json
+```
+
+> For more information on security see chapter 10 of the [RP2350 datasheet](https://datasheets.raspberrypi.com/rp2350/rp2350-datasheet.pdf), and for information on how to sign other binaries to run on a secure chip see chapter 5.10
+
 Then either drag & drop the UF2 files to the device in order (enc_bootloader first, then hello_serial_enc) waiting for a reboot in-between, or run
 ```bash
 picotool load enc_bootloader.uf2