Grafana database encryption
Grafana’s database contains secrets, which are used to query data sources, send alert notifications and perform other functions within Grafana.
Grafana encrypts these secrets before they are written to the database, by using a symmetric-key encryption algorithm called Advanced Encryption Standard (AES), and using a secret key that you can change when you configure a new Grafana instance.
You can choose to use envelope encryption, which complements a KMS integration in Grafana Enterprise by adding a layer of indirection to the encryption process.
In Grafana Enterprise, you can also choose to encrypt secrets in AES-GCM mode instead of AES-CFB.