diff --git a/examples/crypto/storageclass-crypto-global.yaml b/examples/crypto/storageclass-crypto-global.yaml
index 361e4a7..7176c3a 100644
--- a/examples/crypto/storageclass-crypto-global.yaml
+++ b/examples/crypto/storageclass-crypto-global.yaml
@@ -18,6 +18,12 @@ parameters:
   csi.storage.k8s.io/node-publish-secret-namespace: "longhorn-system"
   csi.storage.k8s.io/node-stage-secret-name: "longhorn-crypto"
   csi.storage.k8s.io/node-stage-secret-namespace: "longhorn-system"
+  # These two are for online expansion of encrypto volumes.
+  # But you need to enable the CSINodeExpandSecret feature gate for
+  # the kube-apiserver and kubelet. For more details, see:
+  # https://kubernetes.io/blog/2022/09/21/kubernetes-1-25-use-secrets-while-expanding-csi-volumes-on-node-alpha/
+  # csi.storage.k8s.io/node-expand-secret-name: "longhorn-crypto"
+  # csi.storage.k8s.io/node-expand-secret-namespace: "longhorn-system"
   # we only need crypto keys for node operations, I left these as examples
   # in case we implement external key vaults in the future
   # csi.storage.k8s.io/controller-publish-secret-name: "longhorn-crypto"
diff --git a/examples/crypto/storageclass-crypto-per-volume-dedicated-namespace.yaml b/examples/crypto/storageclass-crypto-per-volume-dedicated-namespace.yaml
index 38c4790..ee10173 100644
--- a/examples/crypto/storageclass-crypto-per-volume-dedicated-namespace.yaml
+++ b/examples/crypto/storageclass-crypto-per-volume-dedicated-namespace.yaml
@@ -18,6 +18,12 @@ parameters:
   csi.storage.k8s.io/node-publish-secret-namespace: "longhorn-system"
   csi.storage.k8s.io/node-stage-secret-name: ${pvc.name}
   csi.storage.k8s.io/node-stage-secret-namespace: "longhorn-system"
+  # These two are for online expansion of encrypto volumes.
+  # But you need to enable the CSINodeExpandSecret feature gate for
+  # the kube-apiserver and kubelet. For more details, see:
+  # https://kubernetes.io/blog/2022/09/21/kubernetes-1-25-use-secrets-while-expanding-csi-volumes-on-node-alpha/
+  # csi.storage.k8s.io/node-expand-secret-name: ${pvc.name}
+  # csi.storage.k8s.io/node-expand-secret-namespace: "longhorn-system"
   # we only need crypto keys for node operations, I left these as examples
   # in case we implement external key vaults in the future
   # csi.storage.k8s.io/controller-publish-secret-name: ${pvc.name}
diff --git a/examples/crypto/storageclass-crypto-per-volume.yaml b/examples/crypto/storageclass-crypto-per-volume.yaml
index 0bf9a85..438df6d 100644
--- a/examples/crypto/storageclass-crypto-per-volume.yaml
+++ b/examples/crypto/storageclass-crypto-per-volume.yaml
@@ -18,6 +18,12 @@ parameters:
   csi.storage.k8s.io/node-publish-secret-namespace: ${pvc.namespace}
   csi.storage.k8s.io/node-stage-secret-name: ${pvc.name}
   csi.storage.k8s.io/node-stage-secret-namespace: ${pvc.namespace}
+  # These two are for online expansion of encrypto volumes.
+  # But you need to enable the CSINodeExpandSecret feature gate for
+  # the kube-apiserver and kubelet. For more details, see:
+  # https://kubernetes.io/blog/2022/09/21/kubernetes-1-25-use-secrets-while-expanding-csi-volumes-on-node-alpha/
+  # csi.storage.k8s.io/node-expand-secret-name: ${pvc.name}
+  # csi.storage.k8s.io/node-expand-secret-namespace: ${pvc.namespace}
   # we only need crypto keys for node operations, I left these as examples
   # in case we implement external key vaults in the future
   # csi.storage.k8s.io/controller-publish-secret-name: ${pvc.name}