diff --git a/book/source/05-private.md b/book/source/05-private.md
index 87c7c11..3917324 100644
--- a/book/source/05-private.md
+++ b/book/source/05-private.md
@@ -119,6 +119,23 @@ OpenPGP card devices do not store the full OpenPGP certificate. Instead, they ha
 
 [^missing-ecdh]: In the case of ECDH keys, the KDF parameters (hash function ID and a symmetric encryption algorithm ID) are not stored on the OpenPGP card. This is considered a flaw in the OpenPGP card specification. These missing parameters can be handled in two ways, by OpenPGP software running on the host computer: Either by consulting a copy of the component key (e.g. by inspecting a copy of the certificate), or by deducing the missing KDF parameters from the OpenPGP fingerprint that is stored on the card.
 
+## What a private key store does
+
+```{admonition} TODO
+:class: warning
+
+write
+```
+
+```{admonition} VISUAL
+:class: warning
+
+show examples for the operations in a private key store.
+
+- re-use the visual elements of the lowest level in the ch6 "how signatures are made" diagram (ch 6): "making a cryptographic signature from a hash digest"
+- analogous: once we have a visual for the low level asymmetric decryption operation (in ch11), mirror it here
+```
+
 ## Advanced topics
 
 ### TSKs: Best practices S2K + S2K migration?