diff --git a/pkg/services/datasources/service/datasource_service.go b/pkg/services/datasources/service/datasource_service.go
index e49e905255d..d1aeb19e1ad 100644
--- a/pkg/services/datasources/service/datasource_service.go
+++ b/pkg/services/datasources/service/datasource_service.go
@@ -51,13 +51,12 @@ type cachedRoundTripper struct {
 }
 
 func ProvideService(
-	store *sqlstore.SQLStore, secretsService secrets.Service, secretsStore kvstore.SecretsKVStore, cfg *setting.Cfg,
-	features featuremgmt.FeatureToggles, ac accesscontrol.AccessControl, permissionsServices accesscontrol.PermissionsServices,
+	store *sqlstore.SQLStore, secretsStore kvstore.SecretsKVStore, cfg *setting.Cfg, features featuremgmt.FeatureToggles,
+	ac accesscontrol.AccessControl, permissionsServices accesscontrol.PermissionsServices,
 ) *Service {
 	s := &Service{
-		SQLStore:       store,
-		SecretsStore:   secretsStore,
-		SecretsService: secretsService,
+		SQLStore:     store,
+		SecretsStore: secretsStore,
 		ptc: proxyTransportCache{
 			cache: make(map[int64]cachedRoundTripper),
 		},
@@ -285,7 +284,7 @@ func (s *Service) DecryptedValues(ctx context.Context, ds *models.DataSource) (m
 			return nil, err
 		}
 	} else if len(ds.SecureJsonData) > 0 {
-		decryptedValues, err = s.MigrateSecrets(ctx, ds)
+		decryptedValues, err = s.SecretsStore.Migrate(ctx, ds.OrgId, ds.Name, secretType)
 		if err != nil {
 			return nil, err
 		}
@@ -294,21 +293,6 @@ func (s *Service) DecryptedValues(ctx context.Context, ds *models.DataSource) (m
 	return decryptedValues, nil
 }
 
-func (s *Service) MigrateSecrets(ctx context.Context, ds *models.DataSource) (map[string]string, error) {
-	secureJsonData, err := s.SecretsService.DecryptJsonData(ctx, ds.SecureJsonData)
-	if err != nil {
-		return nil, err
-	}
-
-	jsonData, err := json.Marshal(secureJsonData)
-	if err != nil {
-		return nil, err
-	}
-
-	err = s.SecretsStore.Set(ctx, ds.OrgId, ds.Name, secretType, string(jsonData))
-	return secureJsonData, err
-}
-
 func (s *Service) DecryptedValue(ctx context.Context, ds *models.DataSource, key string) (string, bool, error) {
 	values, err := s.DecryptedValues(ctx, ds)
 	if err != nil {
diff --git a/pkg/services/secrets/kvstore/kvstore.go b/pkg/services/secrets/kvstore/kvstore.go
index b438aec3c41..3af85175f10 100644
--- a/pkg/services/secrets/kvstore/kvstore.go
+++ b/pkg/services/secrets/kvstore/kvstore.go
@@ -30,6 +30,7 @@ type SecretsKVStore interface {
 	Set(ctx context.Context, orgId int64, namespace string, typ string, value string) error
 	Del(ctx context.Context, orgId int64, namespace string, typ string) error
 	Keys(ctx context.Context, orgId int64, namespace string, typ string) ([]Key, error)
+	Migrate(ctx context.Context, orgId int64, namespace string, typ string) (map[string]string, error)
 	Rename(ctx context.Context, orgId int64, namespace string, typ string, newNamespace string) error
 }
 
@@ -67,6 +68,10 @@ func (kv *FixedKVStore) Keys(ctx context.Context) ([]Key, error) {
 	return kv.kvStore.Keys(ctx, kv.OrgId, kv.Namespace, kv.Type)
 }
 
+func (kv *FixedKVStore) Migrate(ctx context.Context) ([]Key, error) {
+	return kv.kvStore.Keys(ctx, kv.OrgId, kv.Namespace, kv.Type)
+}
+
 func (kv *FixedKVStore) Rename(ctx context.Context, newNamespace string) error {
 	err := kv.kvStore.Rename(ctx, kv.OrgId, kv.Namespace, kv.Type, newNamespace)
 	if err != nil {
diff --git a/pkg/services/secrets/kvstore/sql.go b/pkg/services/secrets/kvstore/sql.go
index 08b1c9fe257..494c91d97ac 100644
--- a/pkg/services/secrets/kvstore/sql.go
+++ b/pkg/services/secrets/kvstore/sql.go
@@ -3,10 +3,12 @@ package kvstore
 import (
 	"context"
 	"encoding/base64"
+	"encoding/json"
 	"sync"
 	"time"
 
 	"github.com/grafana/grafana/pkg/infra/log"
+	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/services/secrets"
 	"github.com/grafana/grafana/pkg/services/sqlstore"
 )
@@ -218,3 +220,27 @@ func (kv *secretsKVStoreSQL) Rename(ctx context.Context, orgId int64, namespace
 		return err
 	})
 }
+
+func (kv *secretsKVStoreSQL) Migrate(ctx context.Context, orgId int64, namespace string, typ string) (map[string]string, error) {
+	query := &models.GetDataSourceQuery{
+		OrgId: orgId,
+		Name:  namespace,
+	}
+	err := kv.sqlStore.GetDataSource(ctx, query)
+	if err != nil {
+		return nil, err
+	}
+
+	secureJsonData, err := kv.secretsService.DecryptJsonData(ctx, query.Result.SecureJsonData)
+	if err != nil {
+		return nil, err
+	}
+
+	jsonData, err := json.Marshal(secureJsonData)
+	if err != nil {
+		return nil, err
+	}
+
+	err = kv.Set(ctx, orgId, namespace, typ, string(jsonData))
+	return secureJsonData, err
+}