Update doc on encryption contexts

README.rst

@@ -271,11 +271,27 @@ appending it to the ARN of the master key, separated by a **+** sign::
 	arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500+arn:aws:iam::927034868273:role/sops-dev-xyz
 
 AWS KMS Encryption Context
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 SOPS has the ability to use AWS KMS key policy and encryption context
 <http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html>
 to refine the access control of a given KMS master key.
+
+When creating a new file, you can specify encryption context in the
+`--encryption-context` flag by comma separated list of key-value pairs:
+
+When creating a new file, you can specify encryption context in the
+`--encryption-context` flag by comma separated list of key-value pairs:
+
+.. code:: bash
+
+	$ sops --encryption-context Environment:production,Role:web-server test.dev.yaml
+
+The format of the Encrypt Context string is `<EncryptionContext Key>:<EncryptionContext Value>,<EncryptionContext Key>:<EncryptionContext Value>,...`
+
+The encryption context will be stored in the file metadata and does
+not need to be provided at decryption.
+
 Encryption contexts can be used in conjunction with KMS Key Policies to define
 roles that can only access a given context. An example policy is shown below:
 
@@ -296,15 +312,6 @@ roles that can only access a given context. An example policy is shown below:
       }
     }
 
-When creating a new file, you can specify encryption context in the
-`--encryption-context` flag by comma separated list of key-value pairs:
-
-	<EncryptionContext Key>:<EncryptionContext Value>,<EncryptionContext Key>:<EncryptionContext Value>
-	eg.Environment:production,Role:web-server
-
-The encryption context will be stored in the file metadata and not need to be provided at decryption.
-
-
 Key Rotation
 ~~~~~~~~~~~~