diff --git a/archon-ui-main/src/components/settings/APIKeysSection.tsx b/archon-ui-main/src/components/settings/APIKeysSection.tsx
index 2b61305b..729b2397 100644
--- a/archon-ui-main/src/components/settings/APIKeysSection.tsx
+++ b/archon-ui-main/src/components/settings/APIKeysSection.tsx
@@ -16,6 +16,7 @@ interface CustomCredential {
   is_encrypted?: boolean;
   showValue?: boolean; // Track per-credential visibility
   isNew?: boolean; // Track if this is a new unsaved credential
+  isFromBackend?: boolean; // Track if credential came from backend (write-only once encrypted)
 }
 
 export const APIKeysSection = () => {
@@ -51,17 +52,22 @@ export const APIKeysSection = () => {
       });
       
       // Convert to UI format
-      const uiCredentials = apiKeys.map(cred => ({
-        key: cred.key,
-        value: cred.value || '',
-        description: cred.description || '',
-        originalValue: cred.value || '',
-        originalKey: cred.key, // Track original key for updates
-        hasChanges: false,
-        is_encrypted: cred.is_encrypted || false,
-        showValue: false,
-        isNew: false
-      }));
+      const uiCredentials = apiKeys.map(cred => {
+        const isEncryptedFromBackend = cred.is_encrypted && cred.value === '[ENCRYPTED]';
+        
+        return {
+          key: cred.key,
+          value: cred.value || '',
+          description: cred.description || '',
+          originalValue: cred.value || '',
+          originalKey: cred.key, // Track original key for updates
+          hasChanges: false,
+          is_encrypted: cred.is_encrypted || false,
+          showValue: false,
+          isNew: false,
+          isFromBackend: !cred.isNew, // Mark as from backend unless it's a new credential
+        };
+      });
       
       setCustomCredentials(uiCredentials);
     } catch (err) {
@@ -81,7 +87,8 @@ export const APIKeysSection = () => {
       hasChanges: true,
       is_encrypted: true, // Default to encrypted
       showValue: true, // Show value for new entries
-      isNew: true
+      isNew: true,
+      isFromBackend: false // New credentials are not from backend
     };
     
     setCustomCredentials([...customCredentials, newCred]);
@@ -95,6 +102,12 @@ export const APIKeysSection = () => {
         if (field === 'key' || field === 'value' || field === 'is_encrypted') {
           updated.hasChanges = true;
         }
+        // If user is editing the value of an encrypted credential from backend, make it editable
+        if (field === 'value' && cred.isFromBackend && cred.is_encrypted && cred.value === '[ENCRYPTED]') {
+          updated.isFromBackend = false; // Now it's being edited, treat like new credential
+          updated.showValue = false; // Keep it hidden by default since it was encrypted
+          updated.value = ''; // Clear the [ENCRYPTED] placeholder so they can enter new value
+        }
         return updated;
       }
       return cred;
@@ -102,11 +115,21 @@ export const APIKeysSection = () => {
   };
 
   const toggleValueVisibility = (index: number) => {
-    updateCredential(index, 'showValue', !customCredentials[index].showValue);
+    const cred = customCredentials[index];
+    if (cred.isFromBackend && cred.is_encrypted && cred.value === '[ENCRYPTED]') {
+      showToast('Encrypted credentials cannot be viewed. Edit to make changes.', 'warning');
+      return;
+    }
+    updateCredential(index, 'showValue', !cred.showValue);
   };
 
   const toggleEncryption = (index: number) => {
-    updateCredential(index, 'is_encrypted', !customCredentials[index].is_encrypted);
+    const cred = customCredentials[index];
+    if (cred.isFromBackend && cred.is_encrypted && cred.value === '[ENCRYPTED]') {
+      showToast('Edit the credential value to make changes.', 'warning');
+      return;
+    }
+    updateCredential(index, 'is_encrypted', !cred.is_encrypted);
   };
 
   const deleteCredential = async (index: number) => {
@@ -242,15 +265,31 @@ export const APIKeysSection = () => {
                       value={cred.value}
                       onChange={(e) => updateCredential(index, 'value', e.target.value)}
                       placeholder={cred.is_encrypted && !cred.value ? 'Enter new value (encrypted)' : 'Enter value'}
-                      className="w-full px-3 py-2 pr-20 rounded-md bg-white dark:bg-gray-900 border border-gray-300 dark:border-gray-700 text-sm"
+                      className={`w-full px-3 py-2 pr-20 rounded-md border text-sm ${
+                        cred.isFromBackend && cred.is_encrypted && cred.value === '[ENCRYPTED]'
+                          ? 'bg-gray-100 dark:bg-gray-800 border-gray-200 dark:border-gray-600 text-gray-500 dark:text-gray-400'
+                          : 'bg-white dark:bg-gray-900 border-gray-300 dark:border-gray-700'
+                      }`}
+                      title={cred.isFromBackend && cred.is_encrypted && cred.value === '[ENCRYPTED]' 
+                        ? 'Click to edit this encrypted credential' 
+                        : undefined}
                     />
                     
                     {/* Show/Hide value button */}
                     <button
                       type="button"
                       onClick={() => toggleValueVisibility(index)}
-                      className="absolute right-10 top-1/2 -translate-y-1/2 p-1.5 rounded hover:bg-gray-200 dark:hover:bg-gray-700 transition-colors"
-                      title={cred.showValue ? 'Hide value' : 'Show value'}
+                      disabled={cred.isFromBackend && cred.is_encrypted && cred.value === '[ENCRYPTED]'}
+                      className={`absolute right-10 top-1/2 -translate-y-1/2 p-1.5 rounded transition-colors ${
+                        cred.isFromBackend && cred.is_encrypted && cred.value === '[ENCRYPTED]'
+                          ? 'cursor-not-allowed opacity-50'
+                          : 'hover:bg-gray-200 dark:hover:bg-gray-700'
+                      }`}
+                      title={
+                        cred.isFromBackend && cred.is_encrypted && cred.value === '[ENCRYPTED]'
+                          ? 'Edit credential to view and modify'
+                          : cred.showValue ? 'Hide value' : 'Show value'
+                      }
                     >
                       {cred.showValue ? (
                         <EyeOff className="w-4 h-4 text-gray-500" />
@@ -263,14 +302,21 @@ export const APIKeysSection = () => {
                     <button
                       type="button"
                       onClick={() => toggleEncryption(index)}
+                      disabled={cred.isFromBackend && cred.is_encrypted && cred.value === '[ENCRYPTED]'}
                       className={`
                         absolute right-2 top-1/2 -translate-y-1/2 p-1.5 rounded transition-colors
-                        ${cred.is_encrypted 
-                          ? 'text-pink-600 dark:text-pink-400 hover:bg-pink-100 dark:hover:bg-pink-900/20' 
-                          : 'text-gray-400 hover:bg-gray-200 dark:hover:bg-gray-700'
+                        ${cred.isFromBackend && cred.is_encrypted && cred.value === '[ENCRYPTED]'
+                          ? 'cursor-not-allowed opacity-50 text-pink-400'
+                          : cred.is_encrypted 
+                            ? 'text-pink-600 dark:text-pink-400 hover:bg-pink-100 dark:hover:bg-pink-900/20' 
+                            : 'text-gray-400 hover:bg-gray-200 dark:hover:bg-gray-700'
                         }
                       `}
-                      title={cred.is_encrypted ? 'Encrypted' : 'Not encrypted'}
+                      title={
+                        cred.isFromBackend && cred.is_encrypted && cred.value === '[ENCRYPTED]'
+                          ? 'Edit credential to modify encryption'
+                          : cred.is_encrypted ? 'Encrypted - click to decrypt' : 'Not encrypted - click to encrypt'
+                      }
                     >
                       {cred.is_encrypted ? (
                         <Lock className="w-4 h-4" />
@@ -347,7 +393,7 @@ export const APIKeysSection = () => {
             </div>
             <div className="text-sm text-gray-600 dark:text-gray-400">
               <p>
-                Click the lock icon to toggle encryption for each credential. Encrypted values are stored securely and only decrypted when needed.
+                Encrypted credentials are masked after saving. Click on a masked credential to edit it - this allows you to change the value and encryption settings.
               </p>
             </div>
           </div>
diff --git a/archon-ui-main/src/services/credentialsService.ts b/archon-ui-main/src/services/credentialsService.ts
index bb14b489..3064f630 100644
--- a/archon-ui-main/src/services/credentialsService.ts
+++ b/archon-ui-main/src/services/credentialsService.ts
@@ -102,8 +102,8 @@ class CredentialsService {
           if (value && typeof value === "object" && value.is_encrypted) {
             return {
               key,
-              value: undefined,
-              encrypted_value: value.encrypted_value,
+              value: "[ENCRYPTED]",
+              encrypted_value: undefined,
               is_encrypted: true,
               category,
               description: value.description,
diff --git a/python/src/server/api_routes/settings_api.py b/python/src/server/api_routes/settings_api.py
index 48e2d764..7c9d9d6f 100644
--- a/python/src/server/api_routes/settings_api.py
+++ b/python/src/server/api_routes/settings_api.py
@@ -139,11 +139,12 @@ OPTIONAL_SETTINGS_WITH_DEFAULTS = {
 
 
 @router.get("/credentials/{key}")
-async def get_credential(key: str, decrypt: bool = True):
+async def get_credential(key: str):
     """Get a specific credential by key."""
     try:
-        logfire.info(f"Getting credential | key={key} | decrypt={decrypt}")
-        value = await credential_service.get_credential(key, decrypt=decrypt)
+        logfire.info(f"Getting credential | key={key}")
+        # Never decrypt - always get metadata only for encrypted credentials
+        value = await credential_service.get_credential(key, decrypt=False)
 
         if value is None:
             # Check if this is an optional setting with a default value
@@ -162,16 +163,17 @@ async def get_credential(key: str, decrypt: bool = True):
 
         logfire.info(f"Credential retrieved successfully | key={key}")
 
-        # For encrypted credentials, return metadata instead of the actual value for security
-        if isinstance(value, dict) and value.get("is_encrypted") and not decrypt:
+        if isinstance(value, dict) and value.get("is_encrypted"):
             return {
                 "key": key,
+                "value": "[ENCRYPTED]",
                 "is_encrypted": True,
                 "category": value.get("category"),
                 "description": value.get("description"),
                 "has_value": bool(value.get("encrypted_value")),
             }
 
+        # For non-encrypted credentials, return the actual value
         return {"key": key, "value": value, "is_encrypted": False}
 
     except HTTPException:
diff --git a/python/src/server/services/credential_service.py b/python/src/server/services/credential_service.py
index 017c3b2a..443de7e9 100644
--- a/python/src/server/services/credential_service.py
+++ b/python/src/server/services/credential_service.py
@@ -303,7 +303,7 @@ class CredentialService:
                 key = item["key"]
                 if item["is_encrypted"]:
                     credentials[key] = {
-                        "encrypted_value": item["encrypted_value"],
+                        "value": "[ENCRYPTED]",
                         "is_encrypted": True,
                         "description": item["description"],
                     }
@@ -330,31 +330,16 @@ class CredentialService:
 
             credentials = []
             for item in result.data:
-                # For encrypted values, decrypt them for UI display
                 if item["is_encrypted"] and item["encrypted_value"]:
-                    try:
-                        decrypted_value = self._decrypt_value(item["encrypted_value"])
-                        cred = CredentialItem(
-                            key=item["key"],
-                            value=decrypted_value,
-                            encrypted_value=None,  # Don't expose encrypted value
-                            is_encrypted=item["is_encrypted"],
-                            category=item["category"],
-                            description=item["description"],
-                        )
-                    except Exception as e:
-                        logger.error(f"Failed to decrypt credential {item['key']}: {e}")
-                        # If decryption fails, show placeholder
-                        cred = CredentialItem(
-                            key=item["key"],
-                            value="[DECRYPTION ERROR]",
-                            encrypted_value=None,
-                            is_encrypted=item["is_encrypted"],
-                            category=item["category"],
-                            description=item["description"],
-                        )
+                    cred = CredentialItem(
+                        key=item["key"],
+                        value="[ENCRYPTED]",
+                        encrypted_value=None,
+                        is_encrypted=item["is_encrypted"],
+                        category=item["category"],
+                        description=item["description"],
+                    )
                 else:
-                    # Plain text values
                     cred = CredentialItem(
                         key=item["key"],
                         value=item["value"],