diff --git a/docs/sources/administration/database-encryption-enterprise.md b/docs/sources/administration/database-encryption-enterprise.md
new file mode 100644
index 00000000000..d0974ab581c
--- /dev/null
+++ b/docs/sources/administration/database-encryption-enterprise.md
@@ -0,0 +1,22 @@
++++
+title = "Database encryption (Enterprise)"
+description = "Grafana Enterprise database encryption"
+keywords = ["grafana", "enterprise", "database", "encryption", "documentation"]
+aliases = [""]
+weight = 440
++++
+
+# Grafana Enterprise database encryption
+
+If you are using Grafana Enterprise, you can change Grafana’s cryptographic mode of operation from AES-CFB to AES-GCM, and integrate with a key management system (KMS) provider.
+
+## Changing your encryption mode to AES-GCM
+
+Grafana encrypts secrets using Advanced Encryption Standard in Cipher
+FeedBack mode (AES-CFB). You might prefer to use AES in Galois/Counter
+Mode (AES-GCM) instead, to meet your company’s security requirements or
+in order to maintain consistency with other services.
+
+To change your encryption mode, update the `algorithm` value in the
+`[security.encryption]` section of your Grafana configuration file.
+For details, refer to Enterprise configuration.
diff --git a/docs/sources/administration/database-encryption.md b/docs/sources/administration/database-encryption.md
new file mode 100644
index 00000000000..ebdfaefd4a6
--- /dev/null
+++ b/docs/sources/administration/database-encryption.md
@@ -0,0 +1,15 @@
++++
+title = "Database encryption"
+description = "Grafana database encryption"
+keywords = ["grafana", "database", "encryption", "documentation"]
+aliases = [""]
+weight = 450
++++
+
+# Grafana database encryption
+
+Grafana’s database contains secrets, which are used to query data sources, send alert notifications and perform other functions within Grafana.
+
+Grafana encrypts these secrets before they are written to the database, by using a symmetric-key encryption algorithm called Advanced Encryption Standard (AES), and using a [secret key]({{< relref "../administration/configuration/#secret_key" >}}) that you can change when you configure a new Grafana instance.
+
+You can also use envelope encryption, which complements a KMS integration by adding a layer of indirection to the encryption process.