diff --git a/docs/usage/private-modules.md b/docs/usage/private-modules.md
index 29ee645095f5d2a86af046aa25f124e9c6144f35..87159f65ba7acf442ecb3eeac384a060a86b7bf5 100644
--- a/docs/usage/private-modules.md
+++ b/docs/usage/private-modules.md
@@ -198,7 +198,7 @@ The WhiteSource Renovate App does not run using GitHub Actions, but such secrets
 
 ## Admin/Bot config vs User/Repository config for Self-hosted users
 
-"AdminBot config" refers to the config which the Renovate Bot administrator provides at bot startup, e.g. using environment variables, CLI parameters, or the `config.js` configuration file.
+"Admin/Bot config" refers to the config which the Renovate Bot administrator provides at bot startup, e.g. using environment variables, CLI parameters, or the `config.js` configuration file.
 User/Repository config refers to the in-repository config file which defaults to `renovate.json` but has a large number of alternative filenames supported.
 
 If there is a need to supply custom rules for certain repository, it can still be done using the `config.js` file and the `repositories` array.
@@ -212,6 +212,8 @@ For instructions on this, see the above section on encrypting secrets for the Wh
 - Use the resulting HTML encrypt page to encrypt secrets for your app before adding them to user/repository config
 - Configure the app to run with `privateKey` set to the private key you generated above
 
+Note: Encrypted values can't be used in the "Admin/Bot config".
+
 ### hostRules configuration using environment variables
 
 Self-hosted users can use environment variables to configure the most common types of `hostRules` for authentication.
diff --git a/docs/usage/self-hosted-configuration.md b/docs/usage/self-hosted-configuration.md
index c2e3b518756c49b2e4a838c8424ff897419e7c3e..9662206fef2334f9e6b7bd94abd2537cb991674d 100644
--- a/docs/usage/self-hosted-configuration.md
+++ b/docs/usage/self-hosted-configuration.md
@@ -330,6 +330,14 @@ To create the key pair with OpenSSL use the following commands:
 - `openssl genrsa -out rsa_priv.pem 4096` for generating the private key
 - `openssl rsa -pubout -in rsa_priv.pem -out rsa_pub.pem` for extracting the public key
 
+To encrypt a secret with OpenSSL use the following command:
+
+```bash
+echo 'actual-secret' | openssl rsautl -encrypt -pubin -inkey rsa_pub.pem | base64
+```
+
+Replace `actual-secret` with the secret to encrypt.
+
 ## privateKeyPath
 
 Used as an alternative to `privateKey`, if you wish for the key to be read from disk instead.