diff --git a/docs/buildsys/koji-cbs-sigs.md b/docs/buildsys/koji-cbs-sigs.md
index dab017c..b354985 100644
--- a/docs/buildsys/koji-cbs-sigs.md
+++ b/docs/buildsys/koji-cbs-sigs.md
@@ -91,6 +91,66 @@ Kind Regards,
 
 Each SIG building RPM packages through https://cbs.centos.org community build service will need a GPG security key that will be then automatically be used by the signing service
 
+!!! danger
+    Due to sensitive information ,the following steps are restricted to a very limited number of people and on a restrictive node that doesn't have *any* direct inbound connection. Worth knowing that such node isn't reachable directly by the central ansible automation system, so ansible automation has to be ran "on demand" by people taking following actions.
+
+We first need to create a new GPG key on the signing machine , protected with a strong passphrase, that will be needed to unlock signing service/agent.
+
+To generate a strong passphrase you can for example use `openssl rand -base64 30` (or any other strong/long passphrase generator)
+
+Let's use the `sig-kmods` SIG as an example for the next steps (and of course adapt on each operation, manual step)
+We first need to ssh as the signing user (important for TTY) on the signing service machine. Then we can proceed like this : 
+
+```
+# Let's define some variables first
+sig_name="CentOS Kmods SIG"
+sig_url="https://wiki.centos.org/SpecialInterestGroup/Kmods"
+sig_key_passphrase="Of_Course_A_Real_Passphrase_generated_as_described_above" 
+# Creating the key in keyring
+gpg --batch --gen-key <<EOF
+Key-Type: 1
+Key-Length: 2048
+Subkey-Type: 1
+Subkey-Length: 2048
+Name-Real: ${sig_name}
+Name-Comment: ${sig_url}
+Name-Email: security@centos.org
+Passphrase: ${sig_key_passphrase}
+Expire-Date: 0
+EOF
+
+gpg: key 7AE06D54 marked as ultimately trusted
+```
+
+As we can see the key was created but we have first to unlock it now (in gpg-agent) with the generated passphrase, otherwise CBS signing service will be blocked (replace obviously gpg key id with the output above) :
+
+```
+# Unlocking the key
+key_id=$(gpg --list-keys | egrep -B 1 "${sig_name}"|head -n 1|awk '{print $2}'|cut -f 2 -d '/')
+test_file=$(mktemp)
+timeout 30 gpg --batch --sign -b --use-agent --local-user ${key_id} ${test_file} && rm ${test_file} || echo "Signing failed"
+```
+
+Now that CBS signing service is ready, we have to export the new key and so push it to the website (so that people can see it publicly to verify and also have it embedded in a centos-release-* rpm pkg : 
+
+```
+# extract key
+gpg --export --armor ${key_id} > /var/tmp/RPM-GPG-KEY-CentOS-SIG-$(echo ${sig_name/CentOS/}|sed 's/SIG//')
+gpg --with-fingerprint /var/tmp/RPM-GPG-KEY-CentOS-SIG-$(echo ${sig_name/CentOS/}|sed 's/SIG//')
+
+pub  2048R/7AE06D54 2021-06-22 CentOS Kmods SIG (https://wiki.centos.org/SpecialInterestGroup/Kmods) <security@centos.org>
+      Key fingerprint = 48EF 712E C5DD B68B 5280  BE45 5B8E 1A76 7AE0 6D54
+sub  2048R/E46DCBCB 2021-06-22
+
+```
+
+Now either submit a PR or directly do a git commit/push to [CentOS.org git repository](https://git.centos.org/centos/centos.org) and key will be available on website automatically after.
+Simply drop the `RPM-GPG-KEY-CentOS-SIG-<name>` under /keys/ directory and update /keys.md to add the link to download the key and show fingerprint
+
+Here is the Kmods SIG [commit](https://git.centos.org/centos/centos.org/c/fc51c0fc590ebdc734906343ccc392298fda930d?branch=master) given a reference
+
+!!! warning
+    Don't forget to also put the gpg passphrase in the git-crypted pkistore as it will be needed each time that we'll have to unlock the gpg keys in keyring (like on a reboot of the signing machine/service)
 
 
 ## Koji tags creation