diff --git a/README.md b/README.md
index 976fda851745026ed0cd73cc22576a6673accc43..8b1b94ce1e30ef8daa85c98b7b15de9996a38c9c 100644
--- a/README.md
+++ b/README.md
@@ -36,9 +36,9 @@ secrets like Hetzner credentials; access to the `super` vault is controlled by
 the `vault_super_pgpkeys` variable.
 
 All the keys should be on the local user gpg keyring and at **minimum** be
-locally signed with `--lsign-key`. This is necessary for running any of the
-`reencrypt-vault-default-key`, `reencrypt-vault-super-key `or `fetch-borg-keys`
-tasks.
+locally signed with `--lsign-key` (or if you use TOFU, have `--tofu-policy
+good`). This is necessary for running any of the `reencrypt-vault-default-key`,
+`reencrypt-vault-super-key `or `fetch-borg-keys` tasks.
 
 #### Note about packer
 
diff --git a/group_vars/all/root_access.yml b/group_vars/all/root_access.yml
index 426193d5e692fb7ce3be444cb958fbd0cc62ab43..faac6e295e29af6344c4f4d11eadff6c73357700 100644
--- a/group_vars/all/root_access.yml
+++ b/group_vars/all/root_access.yml
@@ -29,10 +29,11 @@ root_ssh_keys:
       - man.archlinux.org
       - gitlab.archlinux.org
 
-# - run 'playbooks/tasks/reencrypt-vault-{super,default}-key.yml' when this
-#   changes; before doing so, make sure to 'gpg --lsign-key' all listed keys
-# - before committing the re-encrypted password file, test if both vaults are
-#   working using `ansible-vault view misc/vaults/vault_{hetzner,hcloud}.yml`
+# run 'playbooks/tasks/reencrypt-vault-{super,default}-key.yml' when this
+# changes; before doing so, make sure to 'gpg --lsign-key' all keys from both
+# sets (or if you use TOFU, `gpg --tofu-policy good`) before committing the
+# re-encrypted password file, then test that both vaults are working using
+# `ansible-vault view misc/vaults/vault_{hetzner,hcloud}.yml`
 # NOTE: adding a key to this list gives access to both default and super vaults
 vault_super_pgpkeys: &vault_super_pgpkeys
   - 86CFFCA918CF3AF47147588051E8B148A9999C34  # foutrelis
@@ -45,10 +46,11 @@ vault_super_pgpkeys: &vault_super_pgpkeys
   - DB650286BD9EAE39890D3FE6FE3DC1668CB24956  # klausenbusk
   - B4B759625D4633430B74877059E43E106B247368  # artafinde
 
-# - run 'playbooks/tasks/reencrypt-vault-default-key.yml' when this changes
-# - before running it, make sure to 'gpg --lsign-key' all keys listed below
-# - before committing the re-encrypted password file, test that the vault
-#   is working by running `ansible-vault view misc/vaults/vault_hcloud.yml`
+# run 'playbooks/tasks/reencrypt-vault-default-key.yml' when this changes;
+# before doing so, make sure to 'gpg --lsign-key' all keys below (or if you use
+# TOFU, `gpg --tofu-policy good`) before committing the re-encrypted password
+# file, then test that the vault is working by running `ansible-vault view
+# misc/vaults/vault_hcloud.yml`
 vault_default_pgpkeys:
   - *vault_super_pgpkeys
   - F00B96D15228013FFC9C9D0393B11DAA4C197E3D  # gromit