Is disableEnvelopeEncryption no longer supported in grafana 9.5.18
The disableEnvelopeEncryption feature toggle is still supported in Grafana 9.5.18. However, it's important to note that this feature toggle is intended for emergency use only and may be removed in future releases. The default behavior in Grafana 9.x is to use envelope encryption for database secrets, which enhances security by using a set of data encryption keys (DEKs) encrypted with a key encryption key (KEK).
If you need to disable envelope encryption for any reason, you can set the disableEnvelopeEncryption feature toggle to true in your Grafana configuration. However, it's strongly recommended to use envelope encryption unless you have a specific need to disable it, as it provides better security for your stored secrets.
For more information on configuring database encryption and using feature toggles, you can refer to the Grafana documentation on database encryption and feature toggles.
grot is still learning and improving, please let me know how I did by reacting below.
should this toggle be used before migrating from grafana 7.5.17 to 9.5.18 or after upgrade?
When upgrading from Grafana 7.5.17 to 9.5.18, you should consider the implications of envelope encryption, which is enabled by default in Grafana 9.x. Here are some steps to guide you through the process:
- Before Upgrading:
- Backup Your Database: Always ensure you have a backup of your Grafana database before performing any upgrade. This will help you recover in case anything goes wrong during the upgrade process.
-
Review Encryption Settings: Since Grafana 7.5.17 does not support envelope encryption, you won't have the
disableEnvelopeEncryptiontoggle set. However, if you anticipate needing to disable envelope encryption after the upgrade, you can prepare by understanding how to configure this toggle in your Grafana configuration file. -
During the Upgrade:
-
Upgrade to Grafana 9.5.18: Perform the upgrade as per the standard upgrade procedure. During this process, Grafana will start using envelope encryption for any new or updated secrets.
-
After Upgrading:
-
Evaluate the Need for
disableEnvelopeEncryption: If you encounter issues with envelope encryption or have specific requirements that necessitate disabling it, you can then set thedisableEnvelopeEncryptiontoggle totruein your Grafana configuration file. This should be done with caution and only if absolutely necessary, as envelope encryption provides enhanced security. -
Testing and Validation:
-
Test Your Setup: After the upgrade, thoroughly test your Grafana setup to ensure that all functionalities are working as expected, especially those related to data source connections and alerting, which rely on encrypted secrets.
-
Documentation and Support:
- Consult Documentation: Refer to the Grafana documentation on database encryption for detailed guidance on managing encryption settings.
- Seek Support if Needed: If you encounter any issues or have questions, consider reaching out to the Grafana community or support channels for assistance.
By following these steps, you can ensure a smooth transition to Grafana 9.5.18 while maintaining the security and integrity of your encrypted secrets.
grot is still learning and improving, please let me know how I did by reacting below.