diff --git a/docs/security/how-it-works.md b/docs/security/how-it-works.md
index 640b40d..772fbf6 100644
--- a/docs/security/how-it-works.md
+++ b/docs/security/how-it-works.md
@@ -112,12 +112,12 @@ Your device's key is long-lived (you generate it once). But what if it's ever co
 
 Secure LSL protects against this with **session keys**:
 
-1. When two devices connect, they perform a **key exchange** to create a shared secret
-2. This secret is used to derive a **session key** that encrypts all data
-3. Session keys are **rotated periodically**
-4. Session keys are never stored; they exist only in memory
+1. When two devices connect, each generates a **fresh ephemeral key pair** for that connection only, signs its ephemeral public key with the shared device key, and exchanges them
+2. The ephemeral key exchange produces a shared secret used to derive a **session key** that encrypts all data
+3. Session keys are **rotated periodically** (a new ephemeral exchange each epoch)
+4. The ephemeral secret keys are discarded as soon as the session key is derived; session keys are never stored and exist only in memory
 
-This provides **forward secrecy**: even if an attacker eventually obtains your device's private key, they cannot decrypt recordings from past sessions that used different session keys.
+This provides **forward secrecy**: even if an attacker eventually obtains your device's long-term private key, they cannot decrypt recordings from past sessions, because each session's key depended on ephemeral secrets that no longer exist.
 
 ---
 
diff --git a/docs/security/security-model.md b/docs/security/security-model.md
index 05336c9..67fbd37 100644
--- a/docs/security/security-model.md
+++ b/docs/security/security-model.md
@@ -78,13 +78,14 @@ Secure LSL does NOT protect against:
 - Sliding window tolerates minor reordering
 - In testing, all replay attempts were rejected
 
-### Session Key Isolation
+### Session Key Isolation and Forward Secrecy
 
-**Guarantee**: Each connection uses a unique session key.
+**Guarantee**: Each connection uses a unique session key, and past sessions stay protected even if the long-term key is later compromised.
 
-- Session keys derived per connection with connection-specific context
-- Automatic periodic key rotation
-- Session keys exist only in memory during connection lifetime
+- Each connection performs a fresh ephemeral X25519 exchange (signed with the shared device key) to derive its session key
+- The ephemeral secret keys are destroyed once the session key is derived, providing forward secrecy
+- Automatic periodic key rotation, with a fresh ephemeral exchange each epoch
+- Session keys exist only in memory during the connection lifetime
 
 ---