diff --git a/red/runtime/locales/en-US/runtime.json b/red/runtime/locales/en-US/runtime.json
index 93d5de2c9..eefc913b9 100644
--- a/red/runtime/locales/en-US/runtime.json
+++ b/red/runtime/locales/en-US/runtime.json
@@ -83,7 +83,8 @@
         "credentials": {
             "error":"Error loading credentials: __message__",
             "error-saving":"Error saving credentials: __message__",
-            "not-registered": "Credential type '__type__' is not registered"
+            "not-registered": "Credential type '__type__' is not registered",
+            "system-key-warning": "\n\n---------------------------------------------------------------------\nYour flow credentials file is encrypted using a system-generated key.\n\nIf the system-generated key is lost for any reason, your credentials\nfile will not be recoverable, you will have to delete it and re-enter\nyour credentials.\n\nYou should set your own key using the 'credentialSecret' option in\nyour settings file. Node-RED will then re-encrypt your credentials\nfile using your chosen key the next time you deploy a change.\n---------------------------------------------------------------------\n"
         },
         "flows": {
             "registered-missing": "Missing type registered: __type__",
diff --git a/red/runtime/nodes/credentials.js b/red/runtime/nodes/credentials.js
index 89bdf3857..36b97b0b5 100644
--- a/red/runtime/nodes/credentials.js
+++ b/red/runtime/nodes/credentials.js
@@ -201,6 +201,9 @@ var api = module.exports = {
             encryptedCredentials = credentials;
         }
         log.debug("red/runtime/nodes/credentials.load : keyType="+encryptionKeyType);
+        if (encryptionKeyType === 'system') {
+            log.warn(log._("nodes.credentials.system-key-warning"));
+        }
         return setupEncryptionPromise.then(function() {
             var clearInvalidFlag = false;
             if (credentials.hasOwnProperty("$")) {