diff --git a/bootloaders/encrypted/README.md b/bootloaders/encrypted/README.md
index f079d9469..b91340bd4 100644
--- a/bootloaders/encrypted/README.md
+++ b/bootloaders/encrypted/README.md
@@ -4,12 +4,17 @@ Replace private.pem and privateaes.bin with your own keys - your signing key mus
 openssl ecparam -name secp256k1 -genkey -out private.pem
 ```
 
-The AES key is just be a 32 byte binary file - you can create one with
+The AES key is just a 32 byte binary file - you can create one with
 
 ```bash
 dd if=/dev/urandom of=privateaes.bin bs=1 count=32
 ```
 
+You will need to program your OTP using the generated `otp.json` file in the build folder. Note that this will enable secure boot on your device, so only signed binaries can run, and will also lock down the page the AES key is stored in. If you wish to test without enabling secure boot then you can load the `otp.json` file in the source folder, which will just program the AES key and lock down that page.
+```bash
+picotool otp load otp.json
+```
+
 Then either drag & drop the UF2 files to the device in order (enc_bootloader first, then hello_serial_enc) waiting for a reboot in-between, or run
 ```bash
 picotool load enc_bootloader.uf2