diff --git a/zfs-tpm1x-change-key.8 b/zfs-tpm1x-change-key.8
index 08e95bd..26a2b79 100644
--- a/zfs-tpm1x-change-key.8
+++ b/zfs-tpm1x-change-key.8
@@ -23,7 +23,7 @@ The following properties are set on \fBdataset\fR:
 .P
 \fBtzpfms\.backend\fR identifies this dataset for work with \fITPM1\.X\fR\-back\-ended tzpfms tools (namely zfs\-tpm1x\-change\-key(8), zfs\-tpm1x\-load\-key(8), and zfs\-tpm1x\-clear\-key(8))\.
 .P
-\fBtzpfms\.key\fR is a colon\-separated pair of hexadecimal\-string (i\.e\. "4F7730" for "Ow0") blobs; the first one represents the RSA key protecting the blob, and it is protected with either the password, if provided, or the SHA1 constant \fICE4CF677875B5EB8993591D5A9AF1ED24A3A8736\fR; the second represents the sealed object containing the wrapping key, and is protected with the SHA1 constant \fIB9EE715DBE4B243FAA81EA04306E063710383E35\fR\. There exists no other user\-land tool for decrypting this\. (TODO: make an LD_PRELOADable for extracting the key maybe)
+\fBtzpfms\.key\fR is a colon\-separated pair of hexadecimal\-string (i\.e\. "4F7730" for "Ow0") blobs; the first one represents the RSA key protecting the blob, and it is protected with either the password, if provided, or the SHA1 constant \fICE4CF677875B5EB8993591D5A9AF1ED24A3A8736\fR; the second represents the sealed object containing the wrapping key, and is protected with the SHA1 constant \fIB9EE715DBE4B243FAA81EA04306E063710383E35\fR\. There exists no other user\-land tool for decrypting this; perhaps there should be\.
 .P
 Finally, the equivalent of \fBzfs(8) change\-key \-o keylocation=prompt \-o keyformat=raw dataset\fR is performed with the new key\. If an error occurred, best effort is made to clean up the properties, or to issue a note for manual intervention into the standard error stream\.
 .P
diff --git a/zfs-tpm1x-change-key.8.html b/zfs-tpm1x-change-key.8.html
index 4d03b94..852b0d0 100644
--- a/zfs-tpm1x-change-key.8.html
+++ b/zfs-tpm1x-change-key.8.html
@@ -114,7 +114,7 @@ the first one represents the RSA key protecting the blob,
 and it is protected with either the password, if provided, or the SHA1 constant <em>CE4CF677875B5EB8993591D5A9AF1ED24A3A8736</em>;
 the second represents the sealed object containing the wrapping key,
 and is protected with the SHA1 constant <em>B9EE715DBE4B243FAA81EA04306E063710383E35</em>.
-There exists no other user-land tool for decrypting this. (TODO: make an LD_PRELOADable for extracting the key maybe)</p>
+There exists no other user-land tool for decrypting this; perhaps there should be.</p>
 
 <p>Finally, the equivalent of <strong><a class="man-ref" href="https://manpages.debian.org/bullseye/zfsutils-linux/zfs.8.en.html">zfs<span class="s">(8)</span></a> change-key -o keylocation=prompt -o keyformat=raw dataset</strong> is performed with the new key.
 If an error occurred, best effort is made to clean up the properties,
diff --git a/zfs-tpm1x-change-key.8.html_fragment b/zfs-tpm1x-change-key.8.html_fragment
index 1a65c33..46dd327 100644
--- a/zfs-tpm1x-change-key.8.html_fragment
+++ b/zfs-tpm1x-change-key.8.html_fragment
@@ -42,7 +42,7 @@ the first one represents the RSA key protecting the blob,
 and it is protected with either the password, if provided, or the SHA1 constant <em>CE4CF677875B5EB8993591D5A9AF1ED24A3A8736</em>;
 the second represents the sealed object containing the wrapping key,
 and is protected with the SHA1 constant <em>B9EE715DBE4B243FAA81EA04306E063710383E35</em>.
-There exists no other user-land tool for decrypting this. (TODO: make an LD_PRELOADable for extracting the key maybe)</p>
+There exists no other user-land tool for decrypting this; perhaps there should be.</p>
 
 <p>Finally, the equivalent of <strong><a class="man-ref" href="https://manpages.debian.org/bullseye/zfsutils-linux/zfs.8.en.html">zfs<span class="s">(8)</span></a> change-key -o keylocation=prompt -o keyformat=raw dataset</strong> is performed with the new key.
 If an error occurred, best effort is made to clean up the properties,
diff --git a/zfs-tpm1x-change-key.md b/zfs-tpm1x-change-key.md
index b9bc7e1..36815ff 100644
--- a/zfs-tpm1x-change-key.md
+++ b/zfs-tpm1x-change-key.md
@@ -33,7 +33,7 @@ the first one represents the RSA key protecting the blob,
 and it is protected with either the password, if provided, or the SHA1 constant *CE4CF677875B5EB8993591D5A9AF1ED24A3A8736*;
 the second represents the sealed object containing the wrapping key,
 and is protected with the SHA1 constant *B9EE715DBE4B243FAA81EA04306E063710383E35*.
-There exists no other user-land tool for decrypting this. (TODO: make an LD_PRELOADable for extracting the key maybe)
+There exists no other user-land tool for decrypting this; perhaps there should be.
 
 Finally, the equivalent of **zfs(8) change-key -o keylocation=prompt -o keyformat=raw dataset** is performed with the new key.
 If an error occurred, best effort is made to clean up the properties,