From ed0f3100b34755e81630b29a28bb5cb124634df0 Mon Sep 17 00:00:00 2001 From: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> Date: Fri, 19 Nov 2021 15:51:16 +0100 Subject: [PATCH] Add concept about envelope encryption (#41860) * Add concept about envelope-encryption. * remove comma * separate warning note into steps * remove steps from warning note * Fix lint Co-authored-by: Mitch Seaman Co-authored-by: Dominik Prokop --- .../administration/envelope-encryption.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 docs/sources/administration/envelope-encryption.md diff --git a/docs/sources/administration/envelope-encryption.md b/docs/sources/administration/envelope-encryption.md new file mode 100644 index 00000000000..36ce202d429 --- /dev/null +++ b/docs/sources/administration/envelope-encryption.md @@ -0,0 +1,19 @@ ++++ +title = "Envelope encryption" +description = "Envelope encryption" +keywords = ["grafana", "envelope encryption", "documentation"] +aliases = [""] +weight = 430 ++++ + +# Envelope encryption + +In Grafana, you can choose to use envelope encryption. Instead of +encrypting all secrets with a single key, Grafana uses a set of keys +called data encryption keys (DEKs) to encrypt them. These data +encryption keys are themselves encrypted with a single key encryption +key (KEK). + +To turn on envelope encryption, add the term `envelopeEncryption` to the list of feature toggles in your [Grafana configuration]({{< relref "../administration/configuration/#feature_toggles" >}}). + +**> Note:** Avoid turning off envelope encryption once you have turned it on, and back up your database before turning it on for the first time. If you turn envelope encryption on, create new secrets or update your existing secrets (for example, by creating a new data source or alert notification channel), and then turn envelope encryption off, then those data sources, alert notification channels, and other resources using envelope encryption will stop working and you will experience errors. This is because the secrets encrypted with envelope encryption cannot be decrypted or used by Grafana when envelope encryption is turned off.