2 files changed, 7 insertions, 6 deletions

diff --git a/README.md b/README.md
index 23aa542..73153ed 100644
--- a/README.md
+++ b/README.md
@@ -430,11 +430,12 @@ information to the syslog.
 This step is only needed if you installed `fscrypt` from source code.
 
 Some Linux distros use restrictive settings in `/etc/pam.d/other` that prevent
-non-whitelisted programs from checking your login passphrase.  This prevents
-`fscrypt` from creating any login passphrase-protected directories, even without
-auto-unlocking.  To ensure that `fscrypt` will work properly (if you didn't
-install an official `fscrypt` package from your distro, which should have
-already handled this), also create a file `/etc/pam.d/fscrypt` containing:
+programs from checking your login passphrase unless a per-program PAM
+configuration file grants access.  This prevents `fscrypt` from creating any
+login passphrase-protected directories, even without auto-unlocking.  To ensure
+that `fscrypt` will work properly (if you didn't install an official `fscrypt`
+package from your distro, which should have already handled this), also create a
+file `/etc/pam.d/fscrypt` containing:
 ```
 auth        required    pam_unix.so
 ```
diff --git a/metadata/policy.go b/metadata/policy.go
index 76c2e6f..e218a08 100644
--- a/metadata/policy.go
+++ b/metadata/policy.go
@@ -205,7 +205,7 @@ func shouldUseDirectKeyFlag(options *EncryptionOptions) bool {
 	if options.Contents != options.Filenames {
 		return false
 	}
-	// Whitelist the modes that take a 24+ byte IV (enough room for the per-file nonce)
+	// Currently only Adiantum supports DIRECT_KEY.
 	return options.Contents == EncryptionOptions_Adiantum
 }