SupportBundles: Add bundle encryption based on age (#62501)

* add bundle encryption based on age * undo changes to grafana-data * sort deps * test bundle creation and encryption * use whitespace separator * add support bundle config documentation * Update docs/sources/troubleshooting/support-bundles/index.md * Apply suggestions from code review Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * touch up docs * extract encrypt * Update docs/sources/troubleshooting/support-bundles/index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/troubleshooting/support-bundles/index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
2025-02-25 18:55:37 -06:00 · 2023-02-24 15:24:44 +00:00
parent 966bcd3545
commit af987ae636
10 changed files with 398 additions and 28 deletions
--- a/docs/sources/troubleshooting/support-bundles/index.md
+++ b/docs/sources/troubleshooting/support-bundles/index.md
@@ -53,3 +53,71 @@ To generate a support bundle and send the support bundle to Grafana Labs via a s
   Grafana downloads the support bundle to an archive (tar.gz) file.

 1. Attach the archive (tar.gz) file to a support ticket that you send to Grafana Labs Technical Support.
+
+## Support bundle configuration
+
+You can configure the following settings for support bundles:
+
+```ini
+# Enable support bundle creation (default: true)
+enabled = true
+# Only server admins can generate and view support bundles. When set to false, organization admins can generate and view support bundles (default: true)
+server_admin_only = true
+# If set, bundles will be encrypted with the provided public keys separated by whitespace
+public_keys = ""
+```
+
+## Encrypting a support bundle
+
+Support bundles can be encrypted with [age](age-encryption.org) before they are sent to
+recipients. This is useful when you want to send a support bundle to Grafana through a
+channel that is not private.
+
+### Generate a key pair
+
+Ensure [age](https://github.com/FiloSottile/age#installation) is installed on your system.
+
+```bash
+$ age-keygen -o key.txt
+Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
+```
+
+### Support bundle encryption
+
+Ensure [age](https://github.com/FiloSottile/age#installation) is installed on your system.
+
+Add the public key to the `public_keys` setting in the `support_bundle` section of the Grafana configuration file.
+
+```ini
+[support_bundle]
+public_keys = "age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p"
+```
+
+> Multiple public keys can be defined by separating them with whitespace.
+> All included public keys will be able to decrypt the support bundle.
+
+Example:
+
+```ini
+[support_bundle]
+public_keys = "age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p age1yu8vzu554pv3klw46yhdv4raz36k5w3vy30lpxn46923lqngudyqvxacer"
+```
+
+When you restart Grafana, new support bundles will be encrypted with the provided
+public keys. The support bundle file extension is `tar.gz.age`.
+
+#### Decrypt a support bundle
+
+Ensure [age](https://github.com/FiloSottile/age#installation) is installed on your system.
+
+Execute the following command to decrypt the support bundle:
+
+```bash
+age --decrypt -i keyfile -o output.tar.gz downloaded.tar.gz.age
+```
+
+Example:
+
+```bash
+age --decrypt -i key.txt -o data.tar.gz af6684b4-d613-4b31-9fc3-7cb579199bea.tar.gz.age
+```