1 files changed, 15 insertions, 0 deletions

diff --git a/man/common_options.adoc b/man/common_options.adoc
index 5c11309..841929b 100644
--- a/man/common_options.adoc
+++ b/man/common_options.adoc
@@ -332,11 +332,26 @@ Format LUKS2 device with dm-crypt encryption stacked on top HW based encryption
 on SED OPAL locking range. This option enables both SW and HW based data encryption.
 endif::[]
 
+ifdef::ACTION_ERASE[]
+*--hw-opal-factory-reset*::
+Erase *ALL* data on the OPAL self-encrypted device, regardless of the partition it is ran on, if any,
+and does not require a valid LUKS2 header to be present on the device to run. After providing
+correct PSID via interactive prompt or via *--key-file* parameter the device is erased.
+endif::[]
+
 ifdef::ACTION_LUKSFORMAT[]
 *--hw-opal-only*::
 Format LUKS2 device with HW based encryption configured on SED OPAL locking range only. LUKS2
 format only manages locking range unlock key. This option enables HW based data encryption managed
 by SED OPAL drive only.
++
+*NOTE*: Please note that with OPAL-only (--hw-opal-only) encryption,
+the configured OPAL administrator PIN (passphrase) allows unlocking
+all configured locking ranges without LUKS keyslot decryption
+(without knowledge of LUKS passphrase).
+Because of many observed problems with compatibility, cryptsetup
+currently DOES NOT use OPAL single-user mode, which would allow such
+decoupling of OPAL admin PIN access.
 endif::[]
 
 ifdef::ACTION_REENCRYPT[]