diff --git a/misc/vault-keyring-client.sh b/misc/vault-keyring-client.sh
index 4f24f90235811c43ce682025b6a5e4e9703ee1a5..3f2fe0f8274cdfbb231a6d1db47326fba50d176a 100755
--- a/misc/vault-keyring-client.sh
+++ b/misc/vault-keyring-client.sh
@@ -2,7 +2,7 @@
 
 readonly vault_password_file_encrypted="$(dirname $0)/vault-$2-password.gpg"
 
-# often getting "gpg: decryption failed: No secret key" in tf-stage2
-# seems to work with flock (issue last reproduced with gnupg 2.2.35)
+# flock used to work around "gpg: decryption failed: No secret key" in tf-stage2
+# would otherwise need 'auto-expand-secmem' (https://dev.gnupg.org/T3530#106174)
 flock "$vault_password_file_encrypted" \
   gpg --batch --decrypt --quiet "$vault_password_file_encrypted"