Harden secrets at rest using envelope encryption

[alespour]

This PR hardens secret handling in Chronograf by encrypting persisted secret fields in the KV store using envelope encryption (DEK wrapped by a master key).
It covers Source.Password, Source.SharedSecret, Source.ManagementToken, Source.DatabaseToken, and Server.Password, while keeping runtime/API models unchanged.

Migration and Rollback

• Startup migration (automatic): when Chronograf starts with a valid secrets master key, it initializes/unlocks the wrapped DEK and migrates legacy plaintext secret records to encrypted form.
• Fail-fast behavior: if encrypted records exist but no usable master key is provided, startup fails.
• Rollback (explicit/manual): disable-secrets-encryption decrypts persisted secrets back to plaintext and removes the wrapped DEK.

❗ Note for reviewers: If operational preference is to make migration explicit as well / or only, a dedicated chronoctl migration command can be added.

New chronoctl commands

• gen-secrets-master-key — generate a base64 32-byte master key (stdout or file).
• rewrap-secrets-master-key — rotate master key wrapping for the stored DEK (does not re-encrypt secret records).
• disable-secrets-encryption — decrypt persisted secrets and remove wrapped DEK.

---

• CHANGELOG.md updated with a link to the PR (not the Issue)
• Well-formatted commit messages
• Rebased/mergeable
• Tests pass
• Manual test pass
• swagger.json updated (if modified Go structs or API)

[Copilot]

Pull request overview

Hardens persisted secrets in Chronograf's KV store by encrypting Source.Password, Source.SharedSecret, Source.ManagementToken, Source.DatabaseToken, and Server.Password using AES‑256‑GCM envelope encryption (a DEK wrapped by a master key). Adds startup migration of legacy plaintext records, fail‑closed behavior when a master key is missing but encrypted records exist, and three new chronoctl commands for key generation, rotation, and rollback. Also redacts databaseToken and managementToken from API responses and updates Swagger descriptions.

Changes:

• New envelope crypto in kv/internal (versioned [v1|nonce|ciphertext] format) plus per‑field SecretEncoding enum on Source/Server proto messages.
• New kv/secrets.go with InitializeSecretDEK, RewrapSecretDEK, DisableSecretEncryption, and migration of legacy plaintext records on startup.
• New server flags (--secrets-master-key, --secrets-master-key-file), wiring into openService with defer clear(...) of the master key, response redaction of new token fields, and three new chronoctl subcommands.

Reviewed changes

Copilot reviewed 18 out of 19 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
kv/internal/crypto.go	New AES‑GCM seal/open primitives and DEK wrap/unwrap helpers.
kv/internal/internal.go	DEK process‑global state and per‑field marshal/unmarshal that transparently encrypt/decrypt secret strings.
kv/internal/internal.proto / internal.pb.go	Adds SecretEncoding enum and per‑secret encoding fields on Source/Server.
kv/internal/internal_test.go, crypto_test.go	Unit tests for crypto and marshaling roundtrips.
kv/secrets.go	Wrapped‑DEK lifecycle, fail‑closed checks, migration, and rollback to plaintext.
kv/kv_test.go	Integration tests for migration and DEK lifecycle.
server/server.go	Adds master key flags, loadSecretsMasterKey, wires DEK init into openService, clears key bytes after use.
server/server_test.go	Unit tests for loadSecretsMasterKey covering both flag and file inputs.
server/sources.go	Redacts DatabaseToken and ManagementToken in API responses.
server/sources_test.go	Updates expected response bodies to reflect redaction.
server/swagger.json	Updates secret field descriptions to indicate write‑only/redacted behavior.
cmd/chronoctl/gen_secrets_master_key.go	New command to generate base64 32‑byte master keys (contains "non-existant" typo).
cmd/chronoctl/rewrap_secrets_master_key.go	New command to rotate the master key by rewrapping the stored DEK.
cmd/chronoctl/disable_secrets_encryption.go	New command to decrypt persisted secrets and remove the wrapped DEK.
cmd/chronoctl/main_test.go	Test helper updates for new commands.
CHANGELOG.md, cmd/chronoctl/README.md	Documents new feature and commands.

Files not reviewed (1)

• kv/internal/internal.pb.go: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[alespour]

Manual test plan:

• 1. Start Chronograf with no SECRETS_MASTER_KEY; create/update a source and kapacitor with non-empty credentials; stop Chronograf.
• 2. Restart with valid SECRETS_MASTER_KEY (or SECRETS_MASTER_KEY_FILE); verify startup succeeds and existing sources/kapacitors still work (proves startup migration + decrypt-on-read).
• 3. Restart again with the same key; verify normal startup and behavior (proves wrapped DEK reuse path).
• 4. Restart without key after encryption is active; verify startup fails fast with missing-key error.
• 5. Run chronoctl rewrap-secrets-master-key with old/new keys; restart Chronograf with new key; verify startup and credentials still work.
• 6. Run chronoctl disable-secrets-encryption; restart Chronograf without key; verify startup succeeds and existing credentials still work.
• 7. Call /chronograf/v1/sources and /chronograf/v1/sources/{id}; verify password, sharedSecret, databaseToken, managementToken are not returned in responses.
• 8. Call kapacitor/service get endpoints; verify server password is not exposed in API responses.

[karel-rehor]

@alespour

I've run the proposed basic tests. Notes can be found here.

I'm going to perform a few additional tests with key files and additional connection configuration.

[karel-rehor]

@alespour

After running some exploratory tests I've uncovered some minor issues.

General

1. bash tab completion for chronoctl does not work.
   • Opened NICE to have Issue

Using a non-default database and files for key storage reveals two issues. See the Exploratory section below.

1. The default database chronograf-v1.db can be inadvertently generated by the .chronoctl utility when rewrapping but forgetting to provide the --bolt-path argument.
   • After a bit of reflection this is not really an issue in itself, and is probably the best default behavior.
   • The problem is mostly with the STDOUT message "wrapped DEK not found", which makes no mention of the fact chronograf-v1.db is being generated by chronoctl.
   • An STDOUT message stating that the database was not initially found and is being generated would be nice.
     https://github.com/bonitoo-io/influxdata/blob/main/chronografv1/PR6211/testing_notes.md#interim-executive-summary

[bednar]

@karel-rehor please copy tests results also here … of course without confidential information 😉

[karel-rehor]

@bednar @alespour

Provided test plan results

---

1) Baseline

2026-05-25 17:00

PASSED

Start Chronograf with no SECRETS_MASTER_KEY; create/update a source and kapacitor with non-empty credentials; stop Chronograf.

1. $ ./chronograf --influxdb-v3-support-enabled

INFO[0000] Starting Chronograf 202605251210~2bb62962bb6296a0c99ad862ad83fb954849517388d175e 
INFO[0000] InfluxDB v3 time condition validated and configured  component=server time_condition="time > now() - 1d"
INFO[0000] Serving chronograf at http://[::]:8888        component=server
INFO[0000] Reporting usage stats                         component=usage freq=24h reporting_addr="https://usage.influxdata.com" stats="os,arch,version,cluster_id,uptime"

In second terminal

$ ls -al chronograf-v1.db
-rw------- 1 karl karl 32768 May 25 14:50 chronograf-v1.db

OK.

2. Create Influxdb3 Core connection with token (Setup Wizard) - OK
3. Add kapacitor - OK
   • N.B. running strings chronograf-v1.db reveals the credentials in the chronograf database.

...
admin"
changeit*
...

2) Basic startup/migration with SECRETS_MASTER_KEY

2026-05-26 10:00

PASSED

Restart with valid SECRETS_MASTER_KEY (or SECRETS_MASTER_KEY_FILE); verify startup succeeds and existing sources/kapacitors still work (proves startup migration + decrypt-on-read).

1. Regenerate connections from Baseline test - OK
2. Use chronoctl to generate SECRETS_MASTER_KEY - OK

$ ./chronoctl gen-secrets-master-key
rCFXqeLS2kKdOJgtitIlk3l4nZZfQEuzQRIialLVT0s=

3. startup -OK

$ ./chronograf --influxdb-v3-support-enabled --secrets-master-key="rCFXqeLS2kKdOJgtitIlk3l4nZZfQEuzQRIialLVT0s="
INFO[0000] Starting Chronograf 202605251210~2bb62962bb6296a0c99ad862ad83fb954849517388d175e 
INFO[0000] Moving from version 1.8.0                    
INFO[0000] Moving to version 202605251210~2bb6296       
INFO[0000] Successfully created backup/chronograf-v1.db.1.8.0 
INFO[0000] InfluxDB v3 time condition validated and configured  component=server time_condition="time > now() - 1d"
INFO[0000] Reporting usage stats                         component=usage freq=24h reporting_addr="https://usage.influxdata.com" stats="os,arch,version,cluster_id,uptime"
INFO[0000] Serving chronograf at http://[::]:8888        component=server

4. Reuse...
   • existing Influxdb 3 Core connection - with telegraf cpu data - OK
   • kapacitor connection - create new rule - OK
5. $ strings chronograf-v1.db - still reveals existing influxdb3 token and kapacitor credentials. ?

3) Basic restart with SECRETS_MASTER_KEY

2026-05-26 10:15

PASSED

Restart again with the same key; verify normal startup and behavior (proves wrapped DEK reuse path).

1. Restart

$ ./chronograf --influxdb-v3-support-enabled --secrets-master-key="rCFXqeLS2kKdOJgtitIlk3l4nZZfQEuzQRIialLVT0s="
INFO[0000] Starting Chronograf 202605251210~2bb62962bb6296a0c99ad862ad83fb954849517388d175e 
INFO[0000] InfluxDB v3 time condition validated and configured  component=server time_condition="time > now() - 1d"
INFO[0000] Reporting usage stats                         component=usage freq=24h reporting_addr="https://usage.influxdata.com" stats="os,arch,version,cluster_id,uptime"
INFO[0000] Serving chronograf at http://[::]:8888        component=server

2. Verify connections
   • existing Influxdb 3 Core connection - with telegraf cpu data - OK
   • kapacitor connection - edit rule from previous test - OK

4) Basic restart without SECRETS_MASTER_KEY

2026-05-26 10:15

PASSED

Restart without key after encryption is active; verify startup fails fast with missing-key error.

1. Restart - fails with error - OK

$ ./chronograf --influxdb-v3-support-enabled 
INFO[0000] Starting Chronograf 202605251210~2bb62962bb6296a0c99ad862ad83fb954849517388d175e 
INFO[0000] InfluxDB v3 time condition validated and configured  component=server time_condition="time > now() - 1d"
ERRO[0000] Unable to initialize secret encryptionwrapped DEK exists but no secrets master key is configured  component=Secrets

5) Basic rewrap and then restart

2026-05-26 10:45

PASSED

Run chronoctl rewrap-secrets-master-key with old/new keys; restart Chronograf with new key; verify startup and credentials still work.

1. Rewrap command - simple naive - OK

$ ./chronoctl rewrap-secrets-master-key
old secrets master key is required

2. Rewrap command help - OK
3. Create new key

$ ./chronoctl gen-secrets-master-key 
IRd88h8Q6mGjPG0jnP8Z5N2KpHI2NWH7R0BsKJqs3SY=

4. Rewrap old key - OK

$ ./chronoctl rewrap-secrets-master-key --old-secrets-master-key="rCFXqeLS2kKdOJgtitIlk3l4nZZfQEuzQRIialLVT0s=" --new-secrets-master-key="IRd88h8Q6mGjPG0jnP8Z5N2KpHI2NWH7R0BsKJqs3SY="
Successfully rewrapped DEK with new secrets master key

5. Restart - OK

$ ./chronograf --influxdb-v3-support-enabled --secrets-master-key="IRd88h8Q6mGjPG0jnP8Z5N2KpHI2NWH7R0BsKJqs3SY="
INFO[0000] Starting Chronograf 202605251210~2bb62962bb6296a0c99ad862ad83fb954849517388d175e 
INFO[0000] InfluxDB v3 time condition validated and configured  component=server time_condition="time > now() - 1d"
INFO[0000] Reporting usage stats                         component=usage freq=24h reporting_addr="https://usage.influxdata.com" stats="os,arch,version,cluster_id,uptime"
INFO[0000] Serving chronograf at http://[::]:8888        component=server

6. Verify connections - OK

   • existing Influxdb 3 Core connection - with telegraf cpu data - OK
   • kapacitor connection - edit rule from previous test - OK

7. Snoop database - OK

$ strings chronograf-v1.db | grep "apiv3"
$ strings chronograf-v1.db | grep "changeit"
$

6) Disable secrets encryption

2026-05-26 11:00

PASSED

Run chronoctl disable-secrets-encryption; restart Chronograf without key; verify startup succeeds and existing credentials still work.

1. Disable secrets encryption help - OK

$ ./chronoctl disable-secrets-encryption --help
Usage:
  chronoctl [OPTIONS] disable-secrets-encryption [disable-secrets-encryption-OPTIONS]
...

2. Run disable command naively - OK

$ ./chronoctl disable-secrets-encryption 
current secrets master key is required

3. Run disable command -

$ ./chronoctl disable-secrets-encryption --secrets-master-key="IRd88h8Q6mGjPG0jnP8Z5N2KpHI2NWH7R0BsKJqs3SY="
Successfully disabled secrets encryption and removed wrapped DEK

4. restart - without encryption - OK

$ ./chronograf --influxdb-v3-support-enabled
INFO[0000] Starting Chronograf 202605251210~2bb62962bb6296a0c99ad862ad83fb954849517388d175e 
INFO[0000] Moving from version 1.8.0                    
INFO[0000] Moving to version 202605251210~2bb6296       
INFO[0000] Successfully created backup/chronograf-v1.db.1.8.0 
INFO[0000] InfluxDB v3 time condition validated and configured  component=server time_condition="time > now() - 1d"
INFO[0000] Serving chronograf at http://[::]:8888        component=server
INFO[0000] Reporting usage stats                         component=usage freq=24h reporting_addr="https://usage.influxdata.com" stats="os,arch,version,cluster_id,uptime"

5. Verify connections - OK

   • existing Influxdb 3 Core connection - with telegraf cpu data - OK
   • kapacitor connection - edit rule from previous test - OK

6. Snoop database - (values decrypted) - functionally OK

$ strings chronograf-v1.db | grep "apiv3"
\apiv3_kbyT09fqW464tDApPghYZyeX4I_AbInpdeAbIZyufaWxXEY1rpeqW7UPjVYtNBsDWh0B0muyIuJGZpfzSowwDAUsersV2
$ strings chronograf-v1.db | grep "changeit"
changeit*

7) Check chronograf endpoints

2026-05-26 11:00

PASSED

Call /chronograf/v1/sources and /chronograf/v1/sources/{id}; verify password, sharedSecret, databaseToken, managementToken are not returned in responses.

1. sources check - OK

$ curl -s http://localhost:8888/chronograf/v1/sources | grep "password"
$ curl -s http://localhost:8888/chronograf/v1/sources | grep "sharedSecret"
$ curl -s http://localhost:8888/chronograf/v1/sources | grep "databaseToken"karl@bannock:~/$ curl -s http://localhost:8888/chronograf/v1/sources | grep "managementToken"
$

2. sources id check - OK

$ curl -s http://localhost:8888/chronograf/v1/sources/1 | grep "password"
$ curl -s http://localhost:8888/chronograf/v1/sources/1 | grep "sharedSecret"
$ curl -s http://localhost:8888/chronograf/v1/sources/1 | grep "Token"

8) Check kapacitor endpoints

2026-05-26 14:00

PASSED

Call kapacitor/service get endpoints; verify server password is not exposed in API responses.

1. config endpoint

$ curl -s -u admin:changeit http://localhost:9092/kapacitor/v1/config | jq | grep "password"
            "password": false,
            "password"
            "password": false,
            "password",
            "password": false,
            "password"
            "password": false,
            "password",
            "password": false,
            "password"
            "password": false,
            "password"
            "password": false,
            "password"

2. users endpoint

### unknown user
$ curl -s -u foo:wumpus http://localhost:9092/kapacitor/v1/users
{"error":"authorization failed","message":"authorization failed"}
### actual admin
$ curl -s -u admin:changeit http://localhost:9092/kapacitor/v1/users
{
    "users": [
        {
            "link": {
                "rel": "self",
                "href": "/kapacitor/v1/users/admin"
            },
            "name": "admin",
            "permissions": [],
            "type": "admin"
        }
    ]
}
$ curl -s -u admin:changeit http://localhost:9092/kapacitor/v1/users/admin
{
    "link": {
        "rel": "self",
        "href": "/kapacitor/v1/users/admin"
    },
    "name": "admin",
    "type": "admin",
    "permissions": []
}

[karel-rehor]

@bednar @alespour

Exploratory testing notes

---

Interim Summary

Using a non-default database and files for key storage reveals one potential issue.

1. The default database chronograf-v1.db can be inadvertently generated by the .chronoctl utility when rewrapping but forgetting to provide the --bolt-path argument. See step 10 below. The user is not informed.

Fresh non-default database and SECRETS_MASTER_KEY in file

1. Stop chronograf - OK

2. Remove standard database - OK

3. Generate key to file - OK

$ ./chronoctl gen-secrets-master-key --out=super-key.dek
Secrets master key generated and saved at super-key.dek

4. Start chronograf with key in file and non-default database - OK

$ ./chronograf --influxdb-v3-support-enabled --secrets-master-key-file=super-key.dek --bolt-path=my-chronograf.db
INFO[0000] Starting Chronograf 202605251210~2bb62962bb6296a0c99ad862ad83fb954849517388d175e 
INFO[0000] InfluxDB v3 time condition validated and configured  component=server time_condition="time > now() - 1d"
INFO[0000] Serving chronograf at http://[::]:8888        component=server
INFO[0000] Reporting usage stats                         component=usage freq=24h reporting_addr="https://usage.influxdata.com" stats="os,arch,version,cluster_id,uptime"
INFO[0000] Response: OK                                  component=server method=GET remote_addr="[::1]:57338" response_time="195.249µs" status=200

5. Setup connections - OK

   • Influx3 Core - OK
   • Kapacitor (admin:changeit) - OK

6. Snoop database - OK

$ strings my-chronograf.db | grep "apiv3"
karl@bannock:~/bonitoo/qa/testing/chronograf/PR6211$ strings my-chronograf.db | grep "changeit"
karl@bannock:~/bonitoo/qa/testing/chronograf/PR6211$ strings my-chronograf.db | grep "admin"
admin"4AauTmcT7lCa6+EiE1fTz9R3QuknpNrOAqtzK7AjTVmOXOiJh3A==*

7. Restart without key file - OK

$ ./chronograf --influxdb-v3-support-enabled --bolt-path=my-chronograf.db
INFO[0000] Starting Chronograf 202605251210~2bb62962bb6296a0c99ad862ad83fb954849517388d175e 
INFO[0000] Moving from version 1.8.0                    
INFO[0000] Moving to version 202605251210~2bb6296       
INFO[0000] Successfully created backup/my-chronograf.db.1.8.0 
INFO[0000] InfluxDB v3 time condition validated and configured  component=server time_condition="time > now() - 1d"
ERRO[0000] Unable to initialize secret encryptionwrapped DEK exists but no secrets master key is configured  component=Secrets

8. Restart with key file - OK

$ ./chronograf --influxdb-v3-support-enabled --secrets-master-key-file=super-key.dek --bolt-path=my-chronograf.db
INFO[0000] Starting Chronograf 202605251210~2bb62962bb6296a0c99ad862ad83fb954849517388d175e 
INFO[0000] InfluxDB v3 time condition validated and configured  component=server time_condition="time > now() - 1d"
INFO[0000] Reporting usage stats                         component=usage freq=24h reporting_addr="https://usage.influxdata.com"

9. Verify connections - OK

   • Influxdb 3 Core - explorer query - OK
   • Kapacitor - reconfigure alert - OK

10. Re-wrap secret in super-key.dek file with non-default db file. - ??

$ ./chronoctl gen-secrets-master-key --out=meta-key.dek
Secrets master key generated and saved at meta-key.dek
### see what happens if db file is not found
$ ./chronoctl rewrap-secrets-master-key --old-secrets-master-key-file=super-key.dek --new-secrets-master-key-file=meta-key.dek
wrapped DEK not found
### !!! odd message
### !!! it appears a default deb chronograf-v1.db was suddenly added by the above command. 
$ ls -al
total 209100
drwxrwxr-x  3 karl karl      4096 May 26 16:19 .
drwxrwxr-x 10 karl karl      4096 May 25 13:51 ..
drwx------  2 karl karl      4096 May 26 16:10 backup
-rwxrwxr-x  1 karl karl  83812552 May 25 14:30 chronoctl
-rwxrwxr-x  1 karl karl 130221224 May 25 14:29 chronograf
-rw-------  1 karl karl     32768 May 26 16:19 chronograf-v1.db
-rw-------  1 karl karl        45 May 26 16:15 meta-key.dek
-rw-------  1 karl karl     32768 May 26 16:11 my-chronograf.db
-rw-------  1 karl karl        45 May 26 15:07 super-key.dek
-rw-rw-r--  1 karl karl      1157 May 25 13:51 testing_notes.md
### continuing with param for non-default db. 
$ ./chronoctl rewrap-secrets-master-key --old-secrets-master-key-file=super-key.dek --new-secrets-master-key-file=meta-key.dek --bolt-path=my-chronograf.db
Successfully rewrapped DEK with new secrets master key
### ^^^ OK
### start with wrapper key
$ ./chronograf --influxdb-v3-support-enabled --secrets-master-key-file=meta-key.dek --bolt-path=my-chronograf.db
INFO[0000] Starting Chronograf 202605251210~2bb62962bb6296a0c99ad862ad83fb954849517388d175e 
INFO[0000] Moving from version 1.8.0                    
INFO[0000] Moving to version 202605251210~2bb6296       
INFO[0000] Successfully created backup/my-chronograf.db.1.8.0 
INFO[0000] InfluxDB v3 time condition validated and configured  component=server time_condition="time > now() - 1d"
INFO[0000] Serving chronograf at http://[::]:8888        component=server
INFO[0000] Reporting usage stats                         component=usage freq=24h reporting_addr="https://usage.influxdata.com" stats="os,arch,version,cluster_id,uptime"

11. verify connections - OK

• Influxdb 3 Core - explorer query - OK
• Kapacitor - reconfigure alert - OK

12. Snoop DB - OK

$ strings my-chronograf.db | grep "apiv3"
$ strings my-chronograf.db | grep "changeit"
$ strings my-chronograf.db | grep "admin"
admin"4AauTmcT7lCa6+EiE1fTz9R3QuknpNrOAqtzK7AjTVmOXOiJh3A==*

13. Disable encryption with chronoctl - OK

$ ./chronoctl disable-secrets-encryption --secrets-master-key-file=meta-key.dek --bolt-path=my-chronograf.db
Successfully disabled secrets encryption and removed wrapped DEK

14. Restart without encryption - OK

$ ./chronograf --influxdb-v3-support-enabled  --bolt-path=my-chronograf.db
INFO[0000] Starting Chronograf 202605251210~2bb62962bb6296a0c99ad862ad83fb954849517388d175e 
INFO[0000] Moving from version 1.8.0                    
INFO[0000] Moving to version 202605251210~2bb6296       
INFO[0000] Successfully created backup/my-chronograf.db.1.8.0 
INFO[0000] InfluxDB v3 time condition validated and configured  component=server time_condition="time > now() - 1d"
INFO[0000] Reporting usage stats                         component=usage freq=24h reporting_addr="https://usage.influxdata.com" stats="os,arch,version,cluster_id,uptime"
INFO[0000] Serving chronograf at http://[::]:8888        component=server

15. Verify endpoints - OK

• Influxdb 3 Core - explorer query - OK
• Kapacitor - reconfigure alert - OK

16. Snoop DB - OK

$ strings my-chronograf.db | grep "changeit"
changeit*
$ strings my-chronograf.db | grep "apiv3"
\apiv3_kbyT09fqW464tDApPghYZyeX4I_AbInpdeAbIZyufaWxXEY1rpeqW7UPjVYtNBsDWh0B0muyIuJGZpfzSowwDAUsersV2

[alespour]

@karel-rehor not working bash completion in chronoctl appears to be pre-existing issue, this PR does not address it

[alespour]

@karel-rehor Thank you for the thorough testing and report. The issue of chronograf-v1.db being generated when non-default bolt path is used has been addressed in b17a357.

[karel-rehor]

@alespour

In CircleCI I rebuilt the nightly-build binaries based on commit 80ef3d78

Using the build for linux amd64 I repeated the exploratory test that uncovered the --bolt-path issue. Everything works great now. From today's testing notes.

10. Re-wrap secret in super-key.dek file with non-default db file. - OK

$ ./chronoctl gen-secrets-master-key --out=meta-key.dek
Secrets master key generated and saved at meta-key.dek
### see what happens if db file is not found
$ ./chronoctl rewrap-secrets-master-key --old-secrets-master-key-file=super-key.dek --new-secrets-master-key-file=meta-key.dek
bolt db "chronograf-v1.db" not found; use --bolt-path to target an existing chronograf database
### nice message - issue fixed
### no new default deb chronograf-v1.db was added by the above command. 
$ ls -al 
total 418188
drwxrwxr-x  3 karl karl      4096 May 27 15:05 .
drwxrwxr-x 10 karl karl      4096 May 25 13:51 ..
drwx------  2 karl karl      4096 May 26 16:23 backup
-rwxrwxr-x  1 karl karl  83841104 May 27 14:56 chronoctl
-rwxrwxr-x  1 karl karl  83812552 May 25 14:30 chronoctl-2bb629
-rwxrwxr-x  1 karl karl 130274888 May 27 14:56 chronograf
-rwxrwxr-x  1 karl karl 130221224 May 25 14:29 chronograf-2bb629
-rw-------  1 karl karl        45 May 27 15:05 meta-key.dek
-rw-------  1 karl karl     32768 May 27 15:03 my-chronograf.db
-rw-------  1 karl karl        45 May 27 14:58 super-key.dek
-rw-rw-r--  1 karl karl      1157 May 25 13:51 testing_notes.md
### continuing with param for non-default db. 
$ ./chronoctl rewrap-secrets-master-key --old-secrets-master-key-file=super-key.dek --new-secrets-master-key-file=meta-key.dek --bolt-path=my-chronograf.db
Successfully rewrapped DEK with new secrets master key
### ^^^ OK
### start with wrapper key
$ ./chronograf --influxdb-v3-support-enabled --secrets-master-key-file=meta-key.dek --bolt-path=my-chronograf.db
INFO[0000] Starting Chronograf 202605251210~2bb62962bb6296a0c99ad862ad83fb954849517388d175e 
INFO[0000] Moving from version 1.8.0                    
INFO[0000] Moving to version 202605251210~2bb6296       
INFO[0000] Successfully created backup/my-chronograf.db.1.8.0 
INFO[0000] InfluxDB v3 time condition validated and configured  component=server time_condition="time > now() - 1d"
INFO[0000] Serving chronograf at http://[::]:8888        component=server
INFO[0000] Reporting usage stats                         component=usage freq=24h reporting_addr="https://usage.influxdata.com" stats="os,arch,version,cluster_id,uptime"

also

13. Disable encryption with chronoctl - OK

### repeat check of missing bolt path - OK
$ ./chronoctl disable-secrets-encryption --secrets-master-key-file=meta-key.dek 
bolt db "chronograf-v1.db" not found; use --bolt-path to target an existing chronograf database
### Now disable encryption
$ ./chronoctl disable-secrets-encryption --secrets-master-key-file=meta-key.dek --bolt-path=my-chronograf.db
Successfully disabled secrets encryption and removed wrapped DEK

I'll now continue with code review.

[karel-rehor]

Tests pass locally. Changes make sense. Looks good to me. 🚴 🏁