diff --git a/FsCrypt.cpp b/FsCrypt.cpp
index ea8bb73..c3455a0 100644
--- a/FsCrypt.cpp
+++ b/FsCrypt.cpp
@@ -411,11 +411,18 @@ bool fscrypt_vold_create_user_key(userid_t user_id, int serial, bool ephemeral)
     return true;
 }
 
+// "Lock" all encrypted directories whose key has been removed.  This is needed
+// because merely removing the keyring key doesn't affect inodes in the kernel's
+// inode cache whose per-file key was already set up.  So to remove the per-file
+// keys and make the files "appear encrypted", these inodes must be evicted.
+//
+// To do this, sync() to clean all dirty inodes, then drop all reclaimable slab
+// objects systemwide.  This is overkill, but it's the best available method
+// currently.  Don't use drop_caches mode "3" because that also evicts pagecache
+// for in-use files; all files relevant here are already closed and sync'ed.
 static void drop_caches() {
-    // Clean any dirty pages (otherwise they won't be dropped).
     sync();
-    // Drop inode and page caches.
-    if (!writeStringToFile("3", "/proc/sys/vm/drop_caches")) {
+    if (!writeStringToFile("2", "/proc/sys/vm/drop_caches")) {
         PLOG(ERROR) << "Failed to drop caches during key eviction";
     }
 }