Credentials File Encryption warnings and IBM + Cloudant

Hi, After some disruption of NodeRED instance, I'm being hampered by the message:

Your flow credentials file is encrypted using a system-generated key.

If the system-generated key is lost for any reason, your credentials
file will not be recoverable, you will have to delete it and re-enter
your credentials.

You should set your own key using the 'credentialSecret' option in
your settings file. Node-RED will then re-encrypt your credentials
file using your chosen key the next time you deploy a change.

Because I'm working in IBMCloud, there are no config 'files', but these are instead documents within Cloudant's NodeRED database. Everything is dfone through Cloudant.
The system doesn't seem to flush out the old credentials in the way it announces. I don't seem to be able to flush them myself either.
As to 'decrypting the file', I have tried clearing the credentials string (to the RHS of the $: "") and a few variants of that (empty object, no object).

I've tried setting a manual 'credentialSecret' (in a Cloudant based config it looks as if this is held in settings, even when it's the autogenerated one, it also seems to be prefixed with an _ as many 'special names' are.. but maybe removing the underscore would be important to activate it. Finally I note that some articles say this value if set can never be changed - does that mean I only get one chance to try setting it)

Perhaps someone has seen his before?
I'd even be satisfied with temporarrily turning off the encryption of these credentials within our IBMCloud and adding it back in once the problem's been solved.

At present I can start the old flows fine, but I can't enter the credentials to NodeRED in such a way that they stay in the system and are used.

Can anyone steer me right with this one, please?