Grafana Won't Start After Upgrade? How We Fixed the Encryption Provider Error When Jumping from v11 to v13

The Situation

We had a Grafana instance running smoothly on a Windows machine for over 2 years, accessed via IP address by multiple teams for their dashboards. One day, the machine went down unexpectedly. After restarting it, Grafana simply refused to come back up.

---

The Error

When we ran Grafana manually using:

grafana-server.exe --homepath "C:\Program Files\GrafanaLabs\grafana"

We kept seeing:

Error: ✗ missing configuration for current encryption provider misconfigured

Initial Troubleshooting Steps We Tried (That Didn't Work)

1. Renaming config and database files

We renamed the following files to isolate the issue:

• custom.ini → custom_old.ini
• grafana.db → grafana_old.db
• plugins → plugins_old

Even with fresh/empty versions of these files, the same error persisted.

2. Checking environment variables

set | findstr GF_

Returned empty — no environment variable overrides.

3. Checking the Windows Service configuration

sc qc Grafana

This revealed Grafana was being managed by NSSM (Non-Sucking Service Manager):

BINARY_PATH_NAME: C:\Program Files\GrafanaLabs\svc\13.0.1.0\nssm.exe

4. Starting via NSSM

nssm.exe stop Grafana

nssm.exe start Grafana

nssm.exe status Grafana

Service kept going into a paused state.

5. Running the encryption migration command

grafana-server.exe --homepath "C:\Program Files\GrafanaLabs\grafana" migrate-encryption

Same error returned.

6. Clearing the kv_store table

Without sqlite3 available (not bundled with this Grafana version), we couldn't run:

DELETE FROM kv_store WHERE namespace='grafana-data-keys';

7. Trying the secrets migration rollback via CLI

grafana-cli.exe --homepath "C:\Program Files\GrafanaLabs\grafana" admin secrets-migration rollback

Failed with the same encryption error — couldn't even initialize.

8. Disabling envelope encryption via feature toggle

Added to custom.ini:

[feature_toggles]

disableEnvelopeEncryption = true

Grafana failed to start entirely with this setting in v13.

---

Root Cause Discovery

By checking file modification dates:

dir "C:\Program Files\GrafanaLabs\grafana\bin\"

We found that grafana.exe, grafana.db, and several other files had been modified on April 17, 2026 — the exact date Grafana 13.0.1 was released. Despite update_checker being disabled in custom.ini, someone had manually upgraded Grafana from v11.3 to v13.0.1.

This was a major version jump (v11 → v13), and the upgrade changed the internal encryption provider configuration format. The old grafana.db had been encrypted using an auto-generated secret key from the v11 installation — a key that was never explicitly saved anywhere, and was lost during the upgrade.

Checking the info logs confirmed:

logger=secrets current provider=secretkey.v1

The provider was correct, but the key itself didn't match what was originally used to encrypt the database.

---

The Fix That Worked

After extensive troubleshooting, the solution was to explicitly define the encryption provider and secret key in custom.ini using the secrets_manager section format that Grafana v13 expects:

[secrets_manager]

encryption_provider = secret_key.v1



[secrets_manager.encryption.secret_key.v1]

secret_key = SW2YcwTIb9zpOOhoPsMm <Any random string>

The key SW2YcwTIb9zpOOhoPsMm is the default secret key defined in Grafana's defaults.ini. Since the original v11 installation never had an explicit secret_key set in custom.ini, Grafana had been using this default key all along — it just needed to be explicitly declared in the new v13 secrets_manager format.

After saving custom.ini and restarting the Grafana service, it came up successfully with all dashboards, users, and configurations intact.

---

Key Lessons Learned

1. Grafana v13 uses a new secrets_manager configuration format
Unlike older versions where secret_key lived only under [security], v13 requires explicit declaration under [secrets_manager] sections.

2. Major version upgrades need careful planning
Jumping from v11 to v13 is a significant change. Always back up grafana.db and custom.ini before upgrading, and review the upgrade guide for breaking changes.

3. grafana.db is resilient — dashboards survive upgrades
Even through all this chaos, the 32MB grafana.db file had all dashboards intact. The issue was purely about Grafana being unable to start — not data loss.

4. Check NSSM when Grafana runs as a Windows Service
If Grafana is managed by NSSM, always use NSSM commands to start/stop rather than the Windows Services panel or running the binary directly:

nssm.exe stop Grafana

nssm.exe start Grafana

nssm.exe status Grafana

---

Final Working custom.ini Snippet

[secrets_manager]

encryption_provider = secret_key.v1



[secrets_manager.encryption.secret_key.v1]

secret_key = SW2YcwTIb9zpOOhoPsMm <Your random string>

---

Environment

• OS: Windows Server
• Grafana version before: 11.3.0
• Grafana version after upgrade: 13.0.1
• Service manager: NSSM (Non-Sucking Service Manager)
• Database: SQLite (grafana.db)

---

If this post helped you, the core takeaway is simple: Grafana v13 requires the encryption provider to be explicitly declared in the [secrets_manager] section of custom.ini. Don't leave your secret_key commented out — ever.