diff --git a/components/nvs_flash/src/nvs_api.cpp b/components/nvs_flash/src/nvs_api.cpp
index 1d53948ca8..3a2a3495b6 100644
--- a/components/nvs_flash/src/nvs_api.cpp
+++ b/components/nvs_flash/src/nvs_api.cpp
@@ -580,14 +580,18 @@ extern "C" esp_err_t nvs_flash_generate_keys(const esp_partition_t* partition, n
             cfg->tky[cnt] = 0x88;
         }
     }
-    
-    /* Write without encryption */
+
+    /**
+     * Write key configuration without encryption engine (using raw partition write APIs).
+     * But the read is decrypted through flash encryption engine. This allows unique NVS encryption configuration,
+     * as flash encryption key is randomly generated per device.
+     */
     err = esp_partition_write_raw(partition, 0, cfg->eky, NVS_KEY_SIZE);
     if(err != ESP_OK) {
         return err;
     }
-    
-    /* Write without encryption */
+
+    /* Write without encryption, see note above */
     err = esp_partition_write_raw(partition, NVS_KEY_SIZE, cfg->tky, NVS_KEY_SIZE);
     if(err != ESP_OK) {
         return err;