diff --git a/doc/source/zuul.rst b/doc/source/zuul.rst
index 08d2a63c2e..04c741da07 100644
--- a/doc/source/zuul.rst
+++ b/doc/source/zuul.rst
@@ -219,12 +219,28 @@ troubleshooting, since random padding means encrypting the same
 plaintext a second time will result in wholly different ciphertext. In
 order to avoid unintentional disclosure this should only be done when
 absolutely necessary, but it's possible to decrypt a secret locally on
-the scheduler server with a command like the following (just extract the
-secret ciphertext from the job configuration first to remove surrounding
-YAML, there is no need to recombine split lines)::
+the scheduler server. The first step is extracting the key data from
+our daily key backups::
+
+  root@zuul# jq --raw-output '.keys."/keystorage/gerrit/opendev/opendev%2Fsystem-config".keys[0].private_key' /var/lib/zuul/zuul-keys-backup.json
+
+The name between the double quotes is the path to the project's keys in
+ZooKeeper. To construct this you will need to know the Zuul connection name
+and full project name. The connection name in the example above is 'gerrit',
+replace it with the appropriate connection name for the project you are looking
+at. Next is the unique project name. In the example above we start with
+`opendev/system-config` and split it on `/`. Everything before the first `/`
+is the next component of our name in this case, `opendev`. Then we take the
+entire name `opendev/system-config` and URL encode it to get
+`opendev%2Fsystem-config` which becomes our last component.
+
+Save the output of this jq command to a file `secret.pem`. Then extract the
+secret ciphertext from the job configuration to remove surrounding
+YAML (there is no need to recombine split lines) and run the following
+command to decrypt::
 
   cat ciphertext.txt | sed 's/^ *//' | base64 -d | sudo openssl rsautl -decrypt -oaep -inkey \
-  /var/lib/zuul/keys/secrets/project/gerrit/openstack-infra/project-config/0.pem
+  secret.pem
 
 .. _zuul_github_projects: