Howdy folks, 

I managed to get everything to work, woohoo! I thought I'd share my notes here just in case someone else tries to get this running.

Encrypted mesh with Libremesh v17 (stable)

1. Make sure you are using dual-band routers
2. Install the libremesh firmware
3. Install wpad-mesh and remove wpad-mini
4. Edit the /etc/config/wireless file and find your two entries with mode 'mesh', there will be one for each radio. Comment out all the APs for one radio and only leave the "mesh" point
5. Add the following to the mesh entry:

option encryption 'psk+aes'
option key 'foobarbaz'

6. Now for the other radio, comment out ONLY the mesh entry 
7. Make note of which radio is being used for what
7. Reboot the router
8. Repeat steps 1-7 for your other routers

All this does is force one radio to act as your mesh and the other as your AP, and surprisingly, this works just fine with v17, no custom or unstable build required. 

My realisation came when I managed to get one of my routers to work as an encrypted mesh endpoint, but it stopped acting as an AP, so I got myself another dual-band router and now it works. Basically you need two radios. Admittedly, this was all noted in the Github issue, so I guess I could have saved myself a lot of time by just following that more carefully.

Hope this helps someone in future & thanks for the awesome project!

Cheers,
Martin