diff --git a/docs/paranoid.md b/docs/paranoid.md
index f048a70..79a8fdf 100644
--- a/docs/paranoid.md
+++ b/docs/paranoid.md
@@ -36,6 +36,14 @@ EasyRSA will generate 4096 bit RSA keys when the `-e EASYRSA_KEY_SIZE=4096` argu
     docker run -e EASYRSA_KEY_SIZE=4096 -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki
     docker run -e EASYRSA_KEY_SIZE=4096 -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass
 
+## Logging and stdout
+
+Because you are running within Docker, remember that any command that generates output to stdout may also log that output through Docker's log-driver mechanism. That may mean that e.g. keying material generated by `ovpn_getclient` will be logged somewhere that you don't want it to be logged.
+
+A simple way to avoid having Docker log output for a given command is to run with `--log-driver=none`, e.g
+
+    docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm kylemanna/openvpn ovpn_getclient USER > USER.ovpn
+
 ## Additional Resources
 
 Have a look at the [Applied-Crypto-Hardening](https://github.com/BetterCrypto/Applied-Crypto-Hardening/tree/master/src/configuration/VPNs/OpenVPN) project for more examples.