From fcf6b2998738e90c1c5975feea62c3686497957c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joan=20L=C3=B3pez=20de=20la=20Franca=20Beltran?=
 <5459617+joanlopez@users.noreply.github.com>
Date: Tue, 14 Jun 2022 10:04:21 +0200
Subject: [PATCH] Docs: Add envelope encryption as breaking change (#50716)

* Docs: Add envelope encryption as breaking change

* Minor improvements

* Apply suggestions from code review

Co-authored-by: Tania <yalyna.ts@gmail.com>
---
 docs/sources/whatsnew/whats-new-in-v9-0.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/docs/sources/whatsnew/whats-new-in-v9-0.md b/docs/sources/whatsnew/whats-new-in-v9-0.md
index 27a8c98267c..343babf44f7 100644
--- a/docs/sources/whatsnew/whats-new-in-v9-0.md
+++ b/docs/sources/whatsnew/whats-new-in-v9-0.md
@@ -235,6 +235,26 @@ You can find the complete list of breaking changes in the links below. Please ch
 - https://grafana.com/docs/grafana/next/release-notes/release-notes-9-0-0-beta3/
 - https://grafana.com/docs/grafana/next/release-notes/release-notes-9-0-0
 
+### Envelope encryption enabled by default
+
+Since v8.3 a new kind of encryption called "envelope encryption" was added, for those secrets stored in the Grafana
+database (data source credentials, alerting notification channel credentials, oauth tokens, etc), behind a feature
+toggle named `envelopeEncryption`.
+
+In v9.0, `envelopeEncryption` feature toggle has been replaced in favor of `disableEnvelopeEncryption` and envelope encryption is
+the encryption mechanism used by default.
+
+Therefore, any secret created or updated in Grafana v9.0 won't be decryptable by any previous Grafana version unless the
+feature toggle `envelopeEncryption` is enabled in the previous version (only available since v8.3).
+This needs to be considered in high availability setups, progressive rollouts or in case of need to roll back to a previous Grafana version for any reason.
+
+The recommendation here is to enable `envelopeEncryption` for older versions, or alternatively enable `disableEnvelopeEncryption`
+before upgrading to v9.0. However, the latter is probably going to be removed in one of the next releases, so we hugely
+encourage to move on with envelope encryption.
+
+Find [here]({{< relref "../setup-grafana/configure-security/configure-database-encryption/" >}}) more details and some
+possible workarounds in case you end up in an undesired situation.
+
 ## A note on Grafana Enterprise licensing
 
 When we release Grafana 9.0 on June 14th, Grafana will no longer enforce viewers and editor-admins differently. That means that regardless of whether your Grafana Enterprise license is tiered or combined, instead of seeing this on the Stats & Licensing page: