Docs: Refactor encryption docs (#44718)

* Docs: Refactor encryption docs

* Rename enterprise encr

* Remove envelope encr page

* combine database encryption sections

* fix reference

* Fix link

Co-authored-by: Mitchel Seaman <mitchel.seaman@gmail.com>

docs/sources/administration/database-encryption-enterprise.md

@@ -1,22 +0,0 @@
-+++
-title = "Database encryption (Enterprise)"
-description = "Grafana Enterprise database encryption"
-keywords = ["grafana", "enterprise", "database", "encryption", "documentation"]
-aliases = [""]
-weight = 440
-+++
-
-# Grafana Enterprise database encryption
-
-If you are using Grafana Enterprise, you can change Grafana’s cryptographic mode of operation from AES-CFB to AES-GCM, and integrate with a key management system (KMS) provider.
-
-## Changing your encryption mode to AES-GCM
-
-Grafana encrypts secrets using Advanced Encryption Standard in Cipher
-FeedBack mode (AES-CFB). You might prefer to use AES in Galois/Counter
-Mode (AES-GCM) instead, to meet your company’s security requirements or
-in order to maintain consistency with other services.
-
-To change your encryption mode, update the `algorithm` value in the
-`[security.encryption]` section of your Grafana configuration file.
-For details, refer to Enterprise configuration.

docs/sources/administration/database-encryption.md

@@ -1,7 +1,7 @@
 +++
 title = "Database encryption"
 description = "Grafana database encryption"
-keywords = ["grafana", "database", "encryption", "documentation"]
+keywords = ["grafana", "database", "encryption", "envelope encryption", "documentation"]
 aliases = [""]
 weight = 450
 +++
@@ -12,6 +12,24 @@ Grafana’s database contains secrets, which are used to query data sources, sen
 
 Grafana encrypts these secrets before they are written to the database, by using a symmetric-key encryption algorithm called Advanced Encryption Standard (AES), and using a [secret key]({{< relref "../administration/configuration/#secret_key" >}}) that you can change when you configure a new Grafana instance.
 
-You can choose to use [envelope encryption]({{< relref "./envelope-encryption.md" >}}), which complements a [KMS integration]({{< relref "../enterprise/kms-integration/_index.md" >}}) in Grafana Enterprise by adding a layer of indirection to the encryption process.
+You can choose to use [envelope encryption](#envelope-encryption), which adds a layer of indirection to the encryption process.
 
-In Grafana Enterprise, you can also choose to [encrypt secrets in AES-GCM mode]({{< relref "../administration/database-encryption-enterprise.md" >}}) instead of AES-CFB.
+> **Note:** In Grafana Enterprise, you can also choose to [encrypt secrets in AES-GCM mode]({{< relref "../enterprise/enterprise-encryption/#changing-your-encryption-mode-to-aes-gcm" >}}) instead of AES-CFB.
+
+# Envelope encryption
+
+In Grafana, you can choose to use envelope encryption. Instead of
+encrypting all secrets with a single key, Grafana uses a set of keys
+called data encryption keys (DEKs) to encrypt them. These data
+encryption keys are themselves encrypted with a single key encryption
+key (KEK).
+
+To turn on envelope encryption, add the term `envelopeEncryption` to the list of feature toggles in your [Grafana configuration]({{< relref "../administration/configuration/#feature_toggles" >}}).
+
+> **Note:** Avoid turning off envelope encryption once you have turned it on, and back up your database before turning it on for the first time. If you turn envelope encryption on, create new secrets or update your existing secrets (for example, by creating a new data source or alert notification channel), and then turn envelope encryption off, then those data sources, alert notification channels, and other resources using envelope encryption will stop working and you will experience errors. This is because the secrets encrypted with envelope encryption cannot be decrypted or used by Grafana when envelope encryption is turned off.
+
+# KMS integration
+
+With KMS integrations, you can choose to encrypt secrets stored in the Grafana database using a key from a KMS, which is a secure central storage location that is designed to help you to create and manage cryptographic keys and control their use across many services.
+
+> **Note:** KMS integration is available in Grafana Enterprise. For more information, refer to [Enterprise Encryption]({{< relref "../enterprise/enterprise-encryption/_index.md" >}}) in Grafana Enterprise.

docs/sources/administration/envelope-encryption.md

@@ -1,21 +0,0 @@
-+++
-title = "Envelope encryption"
-description = "Envelope encryption"
-keywords = ["grafana", "envelope encryption", "documentation"]
-aliases = [""]
-weight = 430
-+++
-
-# Envelope encryption
-
-In Grafana, you can choose to use envelope encryption. Instead of
-encrypting all secrets with a single key, Grafana uses a set of keys
-called data encryption keys (DEKs) to encrypt them. These data
-encryption keys are themselves encrypted with a single key encryption
-key (KEK).
-
-To turn on envelope encryption, add the term `envelopeEncryption` to the list of feature toggles in your [Grafana configuration]({{< relref "../administration/configuration/#feature_toggles" >}}).
-
-> **Note:** Avoid turning off envelope encryption once you have turned it on, and back up your database before turning it on for the first time. If you turn envelope encryption on, create new secrets or update your existing secrets (for example, by creating a new data source or alert notification channel), and then turn envelope encryption off, then those data sources, alert notification channels, and other resources using envelope encryption will stop working and you will experience errors. This is because the secrets encrypted with envelope encryption cannot be decrypted or used by Grafana when envelope encryption is turned off.
-
-Refer to [Database encryption]({{< relref "../administration/database-encryption.md" >}}) to learn more about how Grafana encrypts secrets in the database.

docs/sources/enterprise/enterprise-encryption/_index.md

@@ -0,0 +1,35 @@
++++
+title = "Enterprise database encryption"
+description = "Grafana Enterprise database encryption"
+keywords = ["grafana", "enterprise", "database", "encryption", "documentation"]
+aliases = [""]
+weight = 130
++++
+
+# Grafana Enterprise database encryption
+
+If you are using Grafana Enterprise, you can integrate with a key management system (KMS) provider, and change Grafana’s cryptographic mode of operation from AES-CFB to AES-GCM.
+
+## Encrypting your database with a key from a Key Management System (KMS)
+
+You can choose to encrypt secrets stored in the Grafana database using a key from a KMS, which is a secure central storage location that is designed to help you to create and manage cryptographic keys and control their use across many services. When you integrate with a KMS, Grafana does not directly store your encryption key. Instead, Grafana stores KMS credentials and the identifier of the key, which Grafana uses to encrypt the database.
+
+Grafana integrates with the following key management systems:
+
+- [AWS KMS]({{< relref "/using-aws-kms-to-encrypt-database-secrets.md" >}})
+- [Azure Key Vault]({{< relref "/using-azure-key-vault-to-encrypt-database-secrets.md" >}})
+- [Google Cloud KMS]({{< relref "/using-google-cloud-kms-to-encrypt-database-secrets.md" >}})
+- [Hashicorp Key Vault]({{< relref "/using-hashicorp-key-vault-to-encrypt-database-secrets.md" >}})
+
+Refer to [Database encryption]({{< relref "../../administration/database-encryption.md" >}}) to learn more about how Grafana encrypts secrets in the database.
+
+## Changing your encryption mode to AES-GCM
+
+Grafana encrypts secrets using Advanced Encryption Standard in Cipher
+FeedBack mode (AES-CFB). You might prefer to use AES in Galois/Counter
+Mode (AES-GCM) instead, to meet your company’s security requirements or
+in order to maintain consistency with other services.
+
+To change your encryption mode, update the `algorithm` value in the
+`[security.encryption]` section of your Grafana configuration file.
+For details, refer to [Enterprise configuration]({{< relref "../enterprise-configuration.md#securityencryption" >}}).

docs/sources/enterprise/kms-integration/_index.md

@@ -1,19 +0,0 @@
-+++
-title = "KMS integration"
-description = ""
-keywords = ["grafana", "kms", "key management system integration"]
-weight = 1200
-+++
-
-# Key management systems (KMSs)
-
-You can choose to encrypt secrets stored in the Grafana database using a key from a KMS, which is a secure central storage location that is designed to help you to create and manage cryptographic keys and control their use across many services. When you integrate with a KMS, Grafana does not directly store your encryption key. Instead, Grafana stores KMS credentials and the identifier of the key, which Grafana uses to encrypt the database.
-
-Grafana integrates with the following key management systems:
-
-- [AWS KMS]({{< relref "/using-aws-kms-to-encrypt-database-secrets.md" >}})
-- [Azure Key Vault]({{< relref "/using-azure-key-vault-to-encrypt-database-secrets.md" >}})
-- [Google Cloud KMS]({{< relref "/using-google-cloud-kms-to-encrypt-database-secrets.md" >}})
-- [Hashicorp Key Vault]({{< relref "/using-hashicorp-key-vault-to-encrypt-database-secrets.md" >}})
-
-Refer to [Database encryption]({{< relref "../../administration/database-encryption.md" >}}) to learn more about how Grafana encrypts secrets in the database.