diff --git a/content/os/Using Split GPG and Split SSH on Qubes OS.md b/content/os/Using Split GPG and Split SSH on Qubes OS.md
index 3f0848f..6822a9e 100644
--- a/content/os/Using Split GPG and Split SSH on Qubes OS.md	
+++ b/content/os/Using Split GPG and Split SSH on Qubes OS.md	
@@ -19,14 +19,18 @@ Note that if you already have a PGP key with a passphrase, you can remove it by
 
 This part is based on the Qubes Community's [guide](https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/split-ssh.md); however, I will deviate from it to use the PGP keys for SSH instead of generating a new key pair.
 
-In `dom0`:
+### In `dom0`
 
 - Create `/etc/qubes-rpc/policy/qubes.SshAgent` with `@anyvm @anyvm ask,default_target=vault` as the content. Since the keys ar not passphrase protected, you should **not** set the policy to allow.
 
-In `vault` AppVM:
+### In `vault` AppVM:
 - Add `enable-ssh-support` to the end of `~/.gnupg/gpg-agent.conf`
+- Get your keygrip with `gpg --with-keygrip -k`
+- Add your keygrip to the end of `~/.gnupg/sshconrol`
 
-In `vault`'s TemplateVM:
+~[PGP Keygrip](/images/keygrip.png)
+
+### In `vault`'s TemplateVM:
 
 - Create `/etc/qubes-rpc/qubes.SshAgent` with the following content:    
 ```bash
@@ -48,7 +52,7 @@ socat - "UNIX-CONNECT:$SSH_AUTH_SOCK"
 - Make it executable with `sudo chmod +x /etc/qubes-rpc/qubes.SshAgent`
 - Turn off the templateVM. If the `vault` VM is running, turn it off, then start it to update the VM's configuration.
 
-In `ssh-client` AppVM:
+### In `ssh-client` AppVM:
 
 - Add the following to the end of `/rw/config/rc.local`:
 ```bash
diff --git a/static/images/keygrip.png b/static/images/keygrip.png
new file mode 100644
index 0000000..df1a814
Binary files /dev/null and b/static/images/keygrip.png differ