Encrypt database secrets using Azure Key Vault

    Prerequisites:

    • An Azure account with permission to view and create Key Vault keys and programmatic credentials to access those keys
    • Access to the Grafana configuration file

    1. .

    2. Create a key in the Key Vault with the name that you want by using RSA as the type and as the size with encrypt and decrypt permissions.

    3. Register an application and generate a client secret for it.

    4. for the key vault that you created:

    6. Add your Azure Key Vault details to the Grafana configuration file; depending on your operating system, is usually named grafana.ini:

      a. Add a new section to the configuration file, with a name in the format of [security.encryption.azurekv.<KEY-NAME>], where <KEY-NAME> is any name that uniquely identifies this key among other provider keys.

      b. Fill in the section with the following values:

      • tenant_id: the Directory ID (tenant) from the application that you registered.
      • client_id: the Application ID (client) from the application that you registered.
      • client_secret: the VALUE of the secret that you generated in your app. (Don’t use the Secret ID).
      • : the key name that you created in the key vault.
      • vault_uri: the URL of your key vault.

      An example of an Azure Key Vault provider section in the grafana.ini file is as follows:

      1. # previous encryption key, used for legacy alerts, decrypting existing secrets or used as default provider when external providers are not configured
      3. # encryption provider key in the format <PROVIDER>.<KEY-NAME>
      4. encryption_provider = azurekv.example-encryption-key
      5. # list of configured key providers, space separated
      6. available_encryption_providers =  azurekv.example-encryption-key

      > Note: The encryption key stored in the secret_key field is still used by Grafana’s legacy alerting system to encrypt secrets. Do not change or remove that value.

    8. Restart Grafana.