diff --git a/pkgs/racket-doc/pkg/scribblings/pkg.scrbl b/pkgs/racket-doc/pkg/scribblings/pkg.scrbl
index f09290e670..975213dfe7 100644
--- a/pkgs/racket-doc/pkg/scribblings/pkg.scrbl
+++ b/pkgs/racket-doc/pkg/scribblings/pkg.scrbl
@@ -946,7 +946,8 @@ for @nonterm{key}.
         set only in @exec{installation} scope.}
   @item{@exec{git-checkout-credentials} --- A list of git credentials in the form
         @nonterm{username}@litchar{:}@nonterm{password} that are tried when downloading
-        packages with git sources using the HTTP or HTTPS protocols.}
+        packages with git sources using the HTTP or HTTPS protocols. The credentials are
+        currently stored @bold{unencrypted} on the filesystem.}
   @item{@exec{trash-max-packages} --- A limit on the number of package implementations
         that are kept in a trash folder when the package is removed or updated.}
   @item{@exec{trash-max-seconds} --- A limit on the time since a package is removed or
diff --git a/racket/collects/pkg/private/config.rkt b/racket/collects/pkg/private/config.rkt
index ff379fd37e..c62ed196c9 100644
--- a/racket/collects/pkg/private/config.rkt
+++ b/racket/collects/pkg/private/config.rkt
@@ -230,7 +230,8 @@
                              [(list _)
                               (credentials-format-error
                                "not enough elements for git checkout credentials"
-                               val)])))]
+                               val)])))
+        (displayln "WARNING: checkout credentials are stored UNENCRYPTED" (current-error-port))]
        [(list* key args)
         (pkg-error "unsupported config key\n  key: ~a" key)])]
     [else