diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md
index 9f88ca0..7790c74 100644
--- a/book/source/04-certificates.md
+++ b/book/source/04-certificates.md
@@ -306,6 +306,9 @@ Now that we've established the concepts of the components that OpenPGP certifica
 
 We'll start with a very minimal version of [](alice_priv), stored as a *transferable secret key* ([RFC 10.2.](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#transferable-secret-keys)) (that is, including private key material).
 
+Note that the secret key material we're using in this chapter is not password protected. To learn more about encrypting private key material with passwords in OpenPGP, see
+{numref}`encrypted_secrets`.
+
 In this section, we use the Sequoia-PGP tool `sq` to handle and transform our example OpenPGP key, and to inspect internal OpenPGP packet data.
 
 One way to produce this minimal version of Alice's key is:
diff --git a/book/source/05-private.md b/book/source/05-private.md
index ae4d001..a0bf8de 100644
--- a/book/source/05-private.md
+++ b/book/source/05-private.md
@@ -12,6 +12,16 @@
 https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-transferable-secret-keys
 
 
+(encrypted_secrets)=
+## Password protecting secret key material
+
+```{admonition} TODO
+:class: warning
+
+S2K, symmetric encryption
+```
+
+
 ## Private key operations
 
 The core of private key operations doesn't require access to the whole certificate. A private key subsystem only needs to handle the cryptographic key material.