diff --git a/POSTINSTALL-README.md b/POSTINSTALL-README.md
new file mode 100644
index 0000000..22fce66
--- /dev/null
+++ b/POSTINSTALL-README.md
@@ -0,0 +1,19 @@
+# secureblue
+
+After rebasing to secureblue, the following steps are recommended.
+
+## Set a GRUB password
+
+*to be added*
+
+## Create a separate wheel account for admin purposes
+
+Creating a dedicated wheel user and removing wheel from your primary user helps prevent certain attack vectors:
+
+https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#LD_PRELOAD
+https://www.kicksecure.com/wiki/Root#Prevent_Malware_from_Sniffing_the_Root_Password
+
+1. ```adduser admin```
+2. ```usermod -aG wheel admin```
+3. ```gpasswd -d {your username here} wheel```
+4. reboot
\ No newline at end of file
diff --git a/README.md b/README.md
index 97093e9..eb18023 100644
--- a/README.md
+++ b/README.md
@@ -154,6 +154,9 @@ To rebase an existing Silverblue/Kinoite installation to the latest build:
 
 After installation, [yafti](https://github.com/ublue-os/yafti) will open. Make sure to follow the steps listed carefully and read the directions closely.
 
+Have a look at [POSTINSTALL-README](POSTINSTALL-README.md).
+
+
 #### Kargs
 To append kernel boot parameters that apply additional hardening (reboot required):