diff --git a/README.md b/README.md
index b984f5d..4b6c42c 100644
--- a/README.md
+++ b/README.md
@@ -207,6 +207,7 @@ Only one transport may be active at a time. If multiple are set, the server will
 | `MESHCORE_DISABLE_BOTS` | false | Disable bot system entirely (blocks execution and config; an intermediate security precaution, but not as good as basic auth) |
 | `MESHCORE_BASIC_AUTH_USERNAME` | | Optional app-wide HTTP Basic auth username; must be set together with `MESHCORE_BASIC_AUTH_PASSWORD` |
 | `MESHCORE_BASIC_AUTH_PASSWORD` | | Optional app-wide HTTP Basic auth password; must be set together with `MESHCORE_BASIC_AUTH_USERNAME` |
+| `MESHCORE_ENABLE_LOCAL_PRIVATE_KEY_EXPORT` | false | Enable `GET /api/radio/private-key` to return the in-memory private key as hex for backup or migration. Only enable on a trusted network. Import via `PUT /api/radio/private-key` is always available. |
 
 Common launch patterns:
 
diff --git a/README_ADVANCED.md b/README_ADVANCED.md
index dea74f4..a0b2d21 100644
--- a/README_ADVANCED.md
+++ b/README_ADVANCED.md
@@ -9,9 +9,16 @@ These are intended for diagnosing or working around radios that behave oddly.
 | `MESHCORE_ENABLE_MESSAGE_POLL_FALLBACK` | false | Run aggressive 10-second `get_msg()` fallback polling to check for messages |
 | `MESHCORE_FORCE_CHANNEL_SLOT_RECONFIGURE` | false | Disable channel-slot reuse and force `set_channel(...)` before every channel send |
 | `MESHCORE_LOAD_WITH_AUTOEVICT` | false | Enable autoevict mode for contact loading (see [Contact Loading Issues](#contact-loading-issues) below) |
-| `MESHCORE_ENABLE_LOCAL_PRIVATE_KEY_EXPORT` | false | Enable `GET /api/radio/private-key` to return the in-memory private key as hex. Only enable on a trusted network when you need to retrieve the key (e.g. for backup or migration). |
 | `__CLOWNTOWN_DO_CLOCK_WRAPAROUND` | false | Highly experimental: if the radio clock is ahead of system time, try forcing the clock to `0xFFFFFFFF`, wait for uint32 wraparound, and then retry normal time sync before falling back to reboot |
 
+## Private Key Export
+
+`MESHCORE_ENABLE_LOCAL_PRIVATE_KEY_EXPORT=true` enables `GET /api/radio/private-key`, which returns the in-memory private key as hex for backup or migration. The key is held in memory only (exported from the radio on connect) and is never persisted to disk. Only enable this on a trusted network when you need to retrieve the key.
+
+Import via `PUT /api/radio/private-key` is always available regardless of this setting — it is write-only and does not expose key material.
+
+The Radio Settings config export/import feature uses these endpoints. When export is disabled, config exports will omit the private key and show a notice.
+
 By default the app relies on radio events plus MeshCore auto-fetch for incoming messages, and also runs a low-frequency hourly audit poll. That audit checks both:
 
 - whether messages were left on the radio without reaching the app through event subscription
diff --git a/docker-compose.example.yml b/docker-compose.example.yml
index f3101b9..76c52da 100644
--- a/docker-compose.example.yml
+++ b/docker-compose.example.yml
@@ -44,6 +44,7 @@ services:
       # MESHCORE_DISABLE_BOTS: "true"
       # MESHCORE_BASIC_AUTH_USERNAME: changeme
       # MESHCORE_BASIC_AUTH_PASSWORD: changeme
+      # MESHCORE_ENABLE_LOCAL_PRIVATE_KEY_EXPORT: "false"
 
       # Logging
       # MESHCORE_LOG_LEVEL: INFO
diff --git a/pkg/aur/remoteterm.env b/pkg/aur/remoteterm.env
index f4c4601..b01b3a1 100644
--- a/pkg/aur/remoteterm.env
+++ b/pkg/aur/remoteterm.env
@@ -29,3 +29,7 @@ MESHCORE_DISABLE_BOTS=true
 # HTTP Basic Auth (recommended when bots are enabled)
 #MESHCORE_BASIC_AUTH_USERNAME=
 #MESHCORE_BASIC_AUTH_PASSWORD=
+
+# Enable GET /api/radio/private-key to return the in-memory private key as hex
+# for backup or migration. Only enable on a trusted network.
+#MESHCORE_ENABLE_LOCAL_PRIVATE_KEY_EXPORT=false