Important: This documentation is about an older version. It's relevant only to the release noted, many of the features and functions have been updated or replaced. Please view the current version.

Enterprise Open source

Grafana database encryption

Grafana’s database contains secrets, which are used to query data sources, send alert notifications and perform other functions within Grafana.

Grafana encrypts these secrets before they are written to the database, by using a symmetric-key encryption algorithm called Advanced Encryption Standard (AES), and using a secret key that you can change when you configure a new Grafana instance.

You can choose to use envelope encryption, which complements a KMS integration in Grafana Enterprise by adding a layer of indirection to the encryption process.

In Grafana Enterprise, you can also choose to encrypt secrets in AES-GCM mode instead of AES-CFB.