diff --git a/README.md b/README.md
index 77e03573..e3584b9a 100644
--- a/README.md
+++ b/README.md
@@ -45,3 +45,14 @@ $ find
 $ # Sync and render everything
 $ myks all envs --log-level debug
 ```
+
+### Run
+
+#### Running `sync` against protected repositories and registries
+
+Vendir uses `secret` resources to authenticate against protected repositories. These are references by the `vendir.yaml` with the `secretRef` key. 
+
+Myks dynamically creates these secrets based on environment variables prefixed with `VENDIR_SECRET_`.
+For example, if you reference a secret named "mycreds" in your `vendir.yaml, you need to define the environment variables VENDIR_SECRET_MYCREDS_USERNAME` and `VENDIR_SECRET_MYCREDS_PASSWORD`.
+
+These secrets are cleaned up after the sync is complete.
diff --git a/cmd/sync.go b/cmd/sync.go
index ed5c4083..8a3f3804 100644
--- a/cmd/sync.go
+++ b/cmd/sync.go
@@ -11,7 +11,11 @@ func init() {
 	cmd := &cobra.Command{
 		Use:   "sync",
 		Short: "Sync vendir configs",
-		Long:  "Sync vendir configs",
+		Long: `Sync vendir configs. This will run vendir sync for all applications. 
+
+For authentication against protected repositories, authentication is achieved by using environment variables prefixed with "VENDIR_SECRET_". 
+For example, if you reference a secret named "mycreds" in your vendir.yaml, you would need to define the environment variables "VENDIR_SECRET_MYCREDS_USERNAME" and 
+"VENDIR_SECRET_MYCREDS_PASSWORD".`,
 		Run: func(cmd *cobra.Command, args []string) {
 			log.Info().Msg("Syncing vendir configs")
 			g := myks.New(".")