diff --git a/doc/todo/multi_gpg_key_privdata.mdwn b/doc/todo/multi_gpg_key_privdata.mdwn
new file mode 100644
index 0000000..754aa7e
--- /dev/null
+++ b/doc/todo/multi_gpg_key_privdata.mdwn
@@ -0,0 +1,6 @@
+To support multiple gpg keys added with --add-key, propellor should
+
+* When it encrypts the privdata after a change, encrypt it to all keys
+  listed in `privdata/keyring.gpg`
+* When --add-key adds a new key, it should re-encrypt the privdata,
+  so that this new key can access it.