diff --git a/README.rst b/README.rst
index fb0f52959..a4a5e7b65 100644
--- a/README.rst
+++ b/README.rst
@@ -188,6 +188,22 @@ the example files and pgp key provided with the repository::
 
 This last step will decrypt ``example.yaml`` using the test private key.
 
+Encrypting with GnuPG subkeys
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you want to encrypt with specific GnuPG subkeys, it does not suffice to provide the
+exact key ID of the subkey to SOPS, since GnuPG might use *another* subkey instead
+to encrypt the file key with. To force GnuPG to use a specific subkey, you need to
+append ``!`` to the key's fingerprint.
+
+.. code:: yaml
+
+    creation_rules:
+        - pgp: >-
+            85D77543B3D624B63CEA9E6DBC17301B491B3F21!,
+            E60892BB9BD89A69F759A1A0A3D652173B763E8F!
+
+Please note that this is only passed on correctly to GnuPG since SOPS 3.9.3.
 
 Encrypting using age
 ~~~~~~~~~~~~~~~~~~~~