diff --git a/salt/dotfiles b/salt/dotfiles
index 09bb64f6..39a4938f 160000
--- a/salt/dotfiles
+++ b/salt/dotfiles
@@ -1 +1 @@
-Subproject commit 09bb64f6526aa66da031e3fa2316732d4a1ea802
+Subproject commit 39a4938fb67d43af134f2effc419897dbfab40da
diff --git a/salt/qubes-builder/files/admin/policy/default.policy b/salt/qubes-builder/files/admin/policy/default.policy
index f03622f4..fbd9e1d4 100644
--- a/salt/qubes-builder/files/admin/policy/default.policy
+++ b/salt/qubes-builder/files/admin/policy/default.policy
@@ -5,9 +5,8 @@
 
 ## Do not modify this file, create a new policy with with a lower number in the
 ## file name instead. For example `30-user.policy`.
-
-## TODO: split-gpg2 configuration for isolated_gnupghomedirs.
 qubes.Gpg2 * {{ sls_path }} @default allow target=sys-pgp
+qubes.Gpg2 * {{ sls_path }} @anyvm   deny
 
 qusal.GitInit  +qubes-builder {{ sls_path }} @default allow target=sys-git
 qusal.GitFetch +qubes-builder {{ sls_path }} @default allow target=sys-git
diff --git a/salt/sys-pgp/README.md b/salt/sys-pgp/README.md
index af8df13d..340569d4 100644
--- a/salt/sys-pgp/README.md
+++ b/salt/sys-pgp/README.md
@@ -59,5 +59,25 @@ qubes.Gpg2 * @anyvm @anyvm   deny
 
 ## Usage
 
-Consult [upstream documentation](https://www.qubes-os.org/doc/split-gpg/) on
-how to use split-gpg.
+Consult [upstream documentation](https://github.com/ben-grande/qubes-app-linux-split-gpg2) on
+how to use split-gpg2.
+
+Save your PGP keys to `sys-pgp`, using isolated GnuPG home directory per qube
+at `~/.gnupg/split-gpg/<QUBE>`.
+
+On `dom0`, enabled the service `split-gpg2-client` for the client qube `dev`:
+```sh
+qvm-features dev service.split-gpg2-client 1
+```
+
+On the qube `sys-pgp`, generate or import keys for the client qube `dev`:
+```sh
+mkdir -p ~/.gnupg/split-gpg/dev
+gpg --homedir ~/.gnupg/split-gpg/dev --import /path/to/secret.key
+gpg --homedir ~/.gnupg/split-gpg/dev --list-secret-keys
+```
+
+On the qube `dev`, import the public part of your key:
+```sh
+gpg --import /path/to/public.key
+```