diff --git a/bootloaders/encrypted/README.md b/bootloaders/encrypted/README.md
index 8551d7777..580e35a20 100644
--- a/bootloaders/encrypted/README.md
+++ b/bootloaders/encrypted/README.md
@@ -4,13 +4,15 @@ Replace private.pem and privateaes.bin with your own keys - your signing key mus
 openssl ecparam -name secp256k1 -genkey -out private.pem
 ```
 
-The AES key is just a 32 byte binary file - you can create one with
+The AES key is just a 32 byte binary file - you can create one with:
 
 ```bash
 dd if=/dev/urandom of=privateaes.bin bs=1 count=32
 ```
 
-You will need to program your OTP using the generated `otp.json` file in the build folder. Note that this will enable secure boot on your device, so only signed binaries can run, and will also lock down the OTP page the AES key is stored in. If you wish to test without enabling secure boot then you can load the `otp.json` file in the source folder, which will just program the AES key and lock down that OTP page.
+You will need to program your OTP using the generated `otp.json` file generated by the build in your build folder
+NOTE: This will enable secure boot on your device, so only correctly signed binaries can then run, and will also lock down the OTP page the AES key is stored in. 
+If you wish to test without enabling secure boot, you can load the `otp.json` file in the source folder ([otp.json](otp.json)) instead which will just program the AES key and lock down that OTP page.
 ```bash
 picotool otp load otp.json
 ```