diff --git a/Design:-Encryption-of-credentials.md b/Design:-Encryption-of-credentials.md
index e8053ec..d2e3102 100644
--- a/Design:-Encryption-of-credentials.md
+++ b/Design:-Encryption-of-credentials.md
@@ -56,3 +56,22 @@ By keeping it a valid JSON object underlying storage implementations should not
     var decipher = crypto.createDecipheriv(encryptionAlgorithm, encryptionKey, initVector);
     var decrypted = decipher.update(encryptedCredentials, 'base64', 'utf8') + decipher.final('utf8');
     var result = JSON.parse(decrypted);
+
+## FAQ
+
+The credentials file (`flows_cred.json`) is encrypted by default to ensure its contents cannot be easily read.
+
+Node-RED generates a random key for the encryption if you do not provide one in your settings file. If the second instance of Node-RED doesn't have the same encryption key, it won't be able to decrypt the file.
+
+Here are the steps you need to resolve this.
+
+1. edit your `settings.js` file and add a `credentialSecret` property with a whatever string value you want. If you want to disable encryption, set its value to `false`.
+
+        credentialSecret: "my-random-string"
+
+2. Restart Node-RED and deploy a change - this will trigger Node-RED to re-encrypt your credentials with your chosen key (or disabling encryption if set to false).
+
+3. You can then copy your flow/credential file to a second instance, just make sure you give it the same `credentialSecret` value in its settings file.
+
+Note that once you set `credentialSecret` you cannot change its value.
+