diff --git a/base/data/openbao-keys-placeholder.yaml b/base/data/openbao-keys-placeholder.yaml
index 61dada4..bbd2ca3 100644
--- a/base/data/openbao-keys-placeholder.yaml
+++ b/base/data/openbao-keys-placeholder.yaml
@@ -1,9 +1,10 @@
-# Placeholder secret — replaced by the init script after `bao operator init`.
-# Exists so the auto-unseal sidecar's volume mount doesn't block pod startup.
+# Placeholder secret — seed script writes real key/root-token data after init.
+# Exists so the auto-unseal sidecar volume mount doesn't block pod startup.
+# `data` is intentionally omitted so server-side apply never manages (or wipes)
+# the key fields written by the seed script.
 apiVersion: v1
 kind: Secret
 metadata:
   name: openbao-keys
   namespace: data
 type: Opaque
-data: {}