diff --git a/tzpfms.pdf b/tzpfms.pdf
index 727ead2..2104900 100644
Binary files a/tzpfms.pdf and b/tzpfms.pdf differ
diff --git a/tzpfms.ps b/tzpfms.ps
index 44bde29..6dd49c3 100644
--- a/tzpfms.ps
+++ b/tzpfms.ps
@@ -1,6 +1,6 @@
 %!PS-Adobe-3.0
 %%Creator: groff version 1.23.0
-%%CreationDate: Thu Feb 29 07:28:31 2024
+%%CreationDate: Thu Feb 29 13:45:35 2024
 %%DocumentNeededResources: font Times-Roman
 %%+ font Times-Bold
 %%+ font Courier-Bold
@@ -289,22 +289,22 @@ SF(dataset)2.5 E F1(DESCRIPTION)72 141.6 Q F0(After)108 153.6 Q/F4 10
 5.063(or a dataset from a FIDO2 de).15 F(vice,)-.25 E F2
 (zfs-fido2-add-backup)108 165.6 Q F0(may be e)2.5 E -.15(xe)-.15 G
 (cuted to e).15 E(xtend this to an)-.15 E 2.5(yn)-.15 G
-(umber of additional de)-2.5 E(vices.)-.25 E 8.082
-(First, the wrapping k)108 182.4 R 8.382 -.15(ey i)-.1 H 10.582(se).15 G
-8.082(xtracted from the "primary" de)-10.732 F 8.082
-(vice as normal during)-.25 F F4(zfs-fido2-load-key)108 194.4 Q F0 1.019
-(\(8\), then a credential is made as-if during)B F4
-(zfs-fido2-change-key)3.519 E F0(\(8\))A(\(e)108 206.4 Q 1.582
-(xcept the "primary" de)-.15 F 1.582(vice is e)-.25 F 1.583
-(xcluded from the search\); ho)-.15 F(we)-.25 E -.15(ve)-.25 G 2.383 -.4
-(r, t).15 H(he).4 E F4(hmac-secret)4.083 E F0 1.583(is instead)4.083 F
-.708(used as a symmetric AES-256-GCM \()108 218.4 R F4(EVP_CIPHER-AES)A
-F0 .708(\(7ssl\)\) k)B 1.008 -.15(ey t)-.1 H 3.208(oe).15 G .708
-(ncrypt the wrapping k)-3.208 F 1.007 -.15(ey d)-.1 H(i-).15 E
-(rectly with a random IV)108 230.4 Q(.)-1.29 E(This turns the)108 247.2
-Q F4(xyz.nabijaczleweli:tzpfms.key)2.5 E F0 -.25(va)2.5 G(riable into)
-.25 E F3(salt)108 259.2 Q F2(:)A F3(credential-ID)A F2(:)A F3
-(credential-public-key)A F0([)A F2(.)A F3(backup-salt)A F2(:)A F3
+(umber of additional de)-2.5 E(vices.)-.25 E .273(First, the wrapping k)
+108 182.4 R .574 -.15(ey i)-.1 H 2.774(se).15 G .274
+(xtracted as normally during)-2.924 F F4(zfs-fido2-load-key)2.774 E F0
+.274(\(8\), then a credential)B 1.604(is made as-if during)108 194.4 R
+F4(zfs-fido2-change-key)4.104 E F0 1.604(\(8\) \(e)B 1.604
+(xcept the "primary" de)-.15 F 1.603(vice and all the ones)-.25 F .185
+(holding backups are e)108 206.4 R .185(xcluded from the search\); ho)
+-.15 F(we)-.25 E -.15(ve)-.25 G .985 -.4(r, t).15 H(he).4 E F4
+(hmac-secret)2.685 E F0 .185(is instead used as a sym-)2.685 F 1.555
+(metric AES-256-GCM \()108 218.4 R F4(EVP_CIPHER-AES)A F0 1.555
+(\(7ssl\)\) k)B 1.855 -.15(ey t)-.1 H 4.055(oe).15 G 1.555
+(ncrypt the wrapping k)-4.055 F 1.855 -.15(ey d)-.1 H 1.555
+(irectly with a).15 F(random IV)108 230.4 Q(.)-1.29 E(This turns the)108
+247.2 Q F4(xyz.nabijaczleweli:tzpfms.key)2.5 E F0 -.25(va)2.5 G
+(riable into).25 E F3(salt)108 259.2 Q F2(:)A F3(credential-ID)A F2(:)A
+F3(credential-public-key)A F0([)A F2(.)A F3(backup-salt)A F2(:)A F3
 (backup-credential-ID)108 271.2 Q F2(:)A F3
 (backup-credential-public-key)A F2(:)A F3(IV)A F2(:)A F3(encrypted-key)A
 F0 1.666(]...)C F4(tzpfms.key)108 288 Q F0 2.238
diff --git a/zfs-fido2-add-backup.8 b/zfs-fido2-add-backup.8
index f74d100..08a80cb 100644
--- a/zfs-fido2-add-backup.8
+++ b/zfs-fido2-add-backup.8
@@ -19,11 +19,11 @@ derives the key for a dataset from a FIDO2 device,
 .Nm
 may be executed to extend this to any number of additional devices.
 .Pp
-First, the wrapping key is extracted from the "primary" device as normal during
+First, the wrapping key is extracted as normally during
 .Xr zfs-fido2-load-key 8 ,
 then a credential is made as-if during
 .Xr zfs-fido2-change-key 8
-(except the "primary" device is excluded from the search);
+(except the "primary" device and all the ones holding backups are excluded from the search);
 however, the
 .Ql hmac-secret
 is instead used as a symmetric AES-256-GCM
diff --git a/zfs-fido2-add-backup.8.html b/zfs-fido2-add-backup.8.html
index aa834f0..e6d3444 100644
--- a/zfs-fido2-add-backup.8.html
+++ b/zfs-fido2-add-backup.8.html
@@ -39,14 +39,14 @@
     derives the key for a dataset from a FIDO2 device,
     <code class="Nm">zfs-fido2-add-backup</code> may be executed to extend this
     to any number of additional devices.</p>
-<p class="Pp">First, the wrapping key is extracted from the &quot;primary&quot;
-    device as normal during
+<p class="Pp">First, the wrapping key is extracted as normally during
     <a class="Xr" href="zfs-fido2-load-key.8.html">zfs-fido2-load-key(8)</a>,
     then a credential is made as-if during
     <a class="Xr" href="zfs-fido2-change-key.8.html">zfs-fido2-change-key(8)</a>
-    (except the &quot;primary&quot; device is excluded from the search);
-    however, the &#x2018;<code class="Li">hmac-secret</code>&#x2019; is instead
-    used as a symmetric AES-256-GCM
+    (except the &quot;primary&quot; device and all the ones holding backups are
+    excluded from the search); however, the
+    &#x2018;<code class="Li">hmac-secret</code>&#x2019; is instead used as a
+    symmetric AES-256-GCM
     (<a class="Xr" href="https://manpages.debian.org/bookworm/EVP_CIPHER-AES.7ssl">EVP_CIPHER-AES(7ssl)</a>)
     key to encrypt the wrapping key directly with a random IV.</p>
 <p class="Pp">This turns the