diff --git a/pkg/services/secrets/secrets.go b/pkg/services/secrets/secrets.go
index c54535a1d0a..282c1d42f3f 100644
--- a/pkg/services/secrets/secrets.go
+++ b/pkg/services/secrets/secrets.go
@@ -10,6 +10,10 @@ import (
 // Service is an envelope encryption service in charge of encrypting/decrypting secrets.
 // It is a replacement for encryption.Service
 //
+// For all encrypted secrets stored in the database, a migrator is needed to re-encrypt
+// the secrets every time the encryption key has been rotated. Please add your database
+// secrets to the migrator slice available in ./migrator/migrator.go.
+//
 //go:generate mockery --name Service --structname MockService --outpkg fakes --filename mock_service.go --output ./fakes/
 type Service interface {
 	// Encrypt MUST NOT be used within database transactions, it may cause database locks.