If a value is provided with a request to update the record, we should
not nullify it. We don't send decrypted private values to the client, so
if client provides it, it's probably pasted by the user.
When env var is changed from private to public, we didn't nullify it, so
someone doing that could miss exposing it. To minimise the risk of
exposing any secure info we'll now nullify the value.
