From 600067e5e1ada72ca4790f17d5c9052401cfe98d Mon Sep 17 00:00:00 2001
From: Erik Moeller <eloquence@gmail.com>
Date: Thu, 7 Mar 2019 18:08:59 -0800
Subject: [PATCH] [docs] Make it clearer that key generation must be done on
 the SVS

Resolves #4076
---
 docs/generate_securedrop_application_key.rst | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/docs/generate_securedrop_application_key.rst b/docs/generate_securedrop_application_key.rst
index 66f832dde91..960a4bfe022 100644
--- a/docs/generate_securedrop_application_key.rst
+++ b/docs/generate_securedrop_application_key.rst
@@ -7,7 +7,16 @@ of this key is only stored on the *Secure Viewing Station* which is never
 connected to the Internet. SecureDrop submissions can only be decrypted and
 read on the *Secure Viewing Station*.
 
-We will now generate the *SecureDrop Submission Key*.
+We will now generate the *SecureDrop Submission Key*. If you aren't still
+logged into your *Secure Viewing Station* from the previous step, boot it using
+its Tails USB stick, with persistence enabled.
+
+.. important:: Do not follow these steps before you have fully configured the
+  *Secure Viewing Station* according to the :doc:`instructions <set_up_svs>`.
+  The private key you will generate in the following steps is one of the most
+  important secrets associated with your SecureDrop installation. This procedure
+  is intended to ensure that the private key is protected by the air-gap
+  throughout its lifetime.
 
 Create the Key
 --------------