diff --git a/README.md b/README.md
index 2b6c180..4b70501 100644
--- a/README.md
+++ b/README.md
@@ -176,6 +176,31 @@ river $@
 
 and replace `river` with `inga-river` in `/etc/greetd/environments`.
 
+### Keyring
+
+`doas apk add gnome-keyring`, and add relevant lines into `/etc/pam.d/greetd`, it should look like this:
+
+```
+#%PAM-1.0
+
+auth	include	system-local-login
+auth	optional	pam-gnome-keyring.so
+
+account	include	system-local-login
+
+session	include	system-local-login
+session	optional	pam_gnome_keyring.so auto_start
+```
+
+Add following lines to `/usr/local/bin/inga-river` before the call to river:
+
+```
+eval $(gnome-keyring-daemon)
+export SSH_AUTH_SOCK
+```
+
+Reboot, login, make sure with `ps aux | grep key` that keyring daemon is running.
+
 ### Launcher
 
 `doas apk add bemenu`, and then add this line into your river config:
@@ -611,7 +636,7 @@ doas lxc exec test-alpine-container -- /bin/ash
 ```
 Networking should work inside of container.
 
-#### OpenSSH
+### OpenSSH
 
 With password-based auth (not recommended): in container (from root, `lxc-attach`/`lxc exec`)
 
@@ -627,7 +652,13 @@ doas apk add openssh-client
 ssh CONTAINER_IP
 ```
 
-With keys-based auth: TODO
+With keys-based auth:
+```
+ssh-keygen -t ed25519
+ssh-copy-id CONTAINER_IP
+```
+
+(Also make sure that `echo $SSH_AUTH_SOCK` is not empty; it shouldn't be if gnome-keyring-daemon is configured properly.)
 
 ### Webdev