move license to installation and remove advanced features.

Author: raphael-istari

docusaurus-docs/docs/admin/admin-tasks/binary-backups.mdx

@@ -404,7 +404,7 @@ Online restore operations return immediately after the request is sent. The rest
 :::note
 When using backups made from a Dgraph cluster that uses encryption (so backups are encrypted),
 you need to use the same key from that original cluster when doing a restore process.
-Dgraph's [Encryption at Rest](../enterprise-features/encryption-at-rest) uses a symmetric-key
+Dgraph's [Encryption at Rest](../../installation/configuration/encryption-at-rest) uses a symmetric-key
 algorithm where the same key is used for both encryption and decryption, so the encryption key from that
 cluster is needed for the restore process.
 :::

docusaurus-docs/docs/admin/enterprise-features/encryption-at-rest.md

@@ -4,7 +4,7 @@ description: Track and audit all requests (queries and mutations) with Dgraph au
 ---
 
 :::note
-**Enterprise Feature**: Audit logging requires a Dgraph Enterprise license. See [License](../enterprise-features/license) for details.
+**Enterprise Feature**: Audit logging requires a Dgraph Enterprise license. See [License](../../installation/configuration/license) for details.
 :::
 
 Audit logging tracks all requests (queries and mutations) sent to your Dgraph cluster. When enabled, audit logs record the following information for each request:

docusaurus-docs/docs/admin/enterprise-features/license.md

@@ -4,7 +4,7 @@ description: Dgraph logs requests for queries and mutations, and also provides a
 ---
 
 Dgraph logs requests for queries and mutations, and also provides audit logging
-capabilities with a Dgraph [enterprise license](../enterprise-features/license).
+capabilities with a Dgraph [enterprise license](../../installation/configuration/license).
 
 Dgraph's log format comes from the glog library and is [formatted](https://github.com/golang/glog/blob/23def4e6c14b4da8ac2ed8007337bc5eb5007998/glog.go#L523-L533) as follows:
 

docusaurus-docs/docs/admin/observability/audit-logs.md

@@ -19,4 +19,4 @@ Dgraph security configuration covers authentication, network security, and acces
 
 **[Audit Logging](../observability/audit-logs)** - Track and audit all requests
 
-**[Encryption at Rest](../enterprise-features/encryption-at-rest)**  - Encrypt data on disk
+**[Encryption at Rest](../../installation/configuration/encryption-at-rest)**  - Encrypt data on disk

docusaurus-docs/docs/admin/observability/log-format.md

@@ -4,7 +4,7 @@ description: Stream database mutations and drop events to Kafka or local file si
 ---
 
 :::note
-**Enterprise Feature**: Change Data Capture requires a Dgraph Enterprise license. See [License](../../admin/enterprise-features/license) for details.
+**Enterprise Feature**: Change Data Capture requires a Dgraph Enterprise license. See [License](license) for details.
 :::
 
 Change Data Capture (CDC) streams database mutations and drop events to external sinks (Kafka or local files). CDC tracks all `set` and `delete` mutations except those affecting password fields, along with all drop events. Live Loader events are recorded; Bulk Loader events are not.

docusaurus-docs/docs/admin/security/index.md

@@ -6,7 +6,7 @@ title: Enable ACL
 Access Control List (ACL) provides access protection to your data stored in Dgraph. When the ACL feature is enabled, a client must authenticate with a username and password before executing any transactions, and is only allowed to access the data permitted by the ACL rules.
 
 :::note
-**Enterprise Feature**: ACL requires a Dgraph Enterprise license. See [License](../../admin/enterprise-features/license) for details.
+**Enterprise Feature**: ACL requires a Dgraph Enterprise license. See [License](license) for details.
 :::
 
 ## Enable Enterprise ACL Feature

docusaurus-docs/docs/installation/configuration/change-data-capture.md

@@ -0,0 +1,111 @@
+---
+title: Encryption at Rest
+description: Encrypt data stored on disk using AES encryption
+---
+
+:::note
+**Enterprise Feature**: Encryption at Rest requires a Dgraph Enterprise license. See [License](license) for details.
+:::
+
+Encryption at Rest encrypts data stored on disk, ensuring sensitive data is not readable without a valid decryption key. Dgraph uses the [Advanced Encryption Standard (AES)](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) algorithm for encryption.
+
+Encryption keys can be stored on Hashicorp Vault servers in addition to local file systems.
+
+## Setup
+
+To enable encryption, pass a file containing the data encryption key using the `--encryption key-file=value` option. The key size must be 16, 24, or 32 bytes, determining the AES block size: AES-128, AES-192, or AES-256, respectively.
+
+Generate an encryption key file (set `count` to the desired key size):
+
+```bash
+tr -dc 'a-zA-Z0-9' < /dev/urandom | dd bs=1 count=32 of=enc_key_file
+```
+
+:::note
+On macOS, use `LC_CTYPE=C; tr -dc 'a-zA-Z0-9' < /dev/urandom | dd bs=1 count=32 of=enc_key_file`. To view the key, use `cat enc_key_file`.
+:::
+
+Alternatively, use the `--vault` [superflag](../../cli/superflags) options to enable encryption with Hashicorp Vault, as [explained below](#hashicorp-vault-configuration).
+
+## Enable Encryption
+
+Start Zero and Alpha with encryption enabled:
+
+```bash
+dgraph zero --my="localhost:5080" --replicas 1 --raft "idx=1"
+dgraph alpha --encryption key-file="./enc_key_file" --my="localhost:7080" --zero="localhost:5080"
+```
+
+If multiple Alpha nodes are in the cluster, pass the `--encryption key-file` option to each Alpha.
+
+Once encryption is enabled on an Alpha, the encryption key must be provided to start the server. If the Alpha restarts, the `--encryption key-file` option must be set with the key to restart successfully.
+
+### Hashicorp Vault Configuration
+
+You can store the encryption key in [Hashicorp Vault](https://www.vaultproject.io/) K/V Secrets instead of a local file.
+
+**Prerequisites:**
+
+1. Ensure the Vault server is accessible from Dgraph Alpha and configured using URL `http://fqdn[ip]:port`.
+2. Enable [AppRole Auth method](https://www.vaultproject.io/docs/auth/approle) and [KV Secrets Engine](https://www.vaultproject.io/docs/secrets/kv).
+3. Save the encryption key (16, 24, or 32 bytes) in a KV Secret path ([K/V Version 1](https://www.vaultproject.io/docs/secrets/kv/kv-v1) or [K/V Version 2](https://www.vaultproject.io/docs/secrets/kv/kv-v2)). For example, upload to KV Secrets Engine Version 2 path `secret/data/dgraph/alpha`:
+   ```json
+   {
+     "options": {
+       "cas": 0
+     },
+     "data": {
+       "enc_key": "qIvHQBVUpzsOp74PmMJjHAOfwIA1e6zm%"
+     }
+   }
+   ```
+4. Create or use a role with an attached policy that grants access to the secret. For example, the following policy grants access to `secret/data/dgraph/alpha`:
+   ```hcl
+   path "secret/data/dgraph/*" {
+     capabilities = [ "read", "update" ]
+   }
+   ```
+5. Using the `role_id` from the previous step, create a corresponding `secret_id`, and copy both to local files (e.g., `./dgraph/vault/role_id` and `./dgraph/vault/secret_id`) for use by Dgraph Alpha nodes.
+
+:::note
+The key format for the `enc-field` option can be defined using `enc-format` with values `base64` (default) or `raw`.
+:::
+
+### Example: Using Hashicorp Vault
+
+Start Dgraph with a Vault server holding the encryption key:
+
+```bash
+## Start Dgraph Zero in a separate terminal
+dgraph zero --my=localhost:5080 --replicas 1 --raft "idx=1"
+
+## Start Dgraph Alpha in a separate terminal
+dgraph alpha --my="localhost:7080" --zero="localhost:5080" \
+  --vault addr="http://localhost:8200";enc-field="enc_key";enc-format="raw";path="secret/data/dgraph/alpha";role-id-file="./role_id";secret-id-file="./secret_id"
+```
+
+If multiple Alpha nodes are in the cluster, pass the `--encryption key-file` flag or the `--vault` superflag with appropriate options to each Alpha.
+
+After encryption is enabled on an Alpha, you must provide the encryption key to start the server. If the Alpha restarts, the `--encryption key-file` or `--vault` superflag options must be set with the key to restart successfully.
+
+## Disable Encryption
+
+Use [live loader](../../migration/live-loader) or [bulk loader](../../migration/bulk-loader) to decrypt data during import.
+
+## Key Rotation
+
+The master encryption key set by `--encryption key-file` (or stored in Vault) does not change automatically. The master key encrypts underlying data keys, which are rotated automatically (see the [encryption-at-rest blog post][encblog] for details).
+
+[encblog]: https://dgraph.io/blog/post/encryption-at-rest-dgraph-badger#one-key-to-rule-them-all-many-keys-to-find-them
+
+To rotate the master encryption key, use the `badger rotate` command on both `p` and `w` directories for each Alpha. In HA cluster configurations, rotate keys one Alpha at a time in a rolling manner to maintain availability.
+
+You need both the current key and the new key in separate files. Specify the directory to rotate (`p` or `w`) with `--dir`, the old key with `--old-key-path`, and the new key with `--new-key-path`:
+
+```bash
+badger rotate --dir p --old-key-path enc_key_file --new-key-path new_enc_key_file
+badger rotate --dir w --old-key-path enc_key_file --new-key-path new_enc_key_file
+```
+
+Then start Alpha with the `new_enc_key_file` to use the new key.
+

docusaurus-docs/docs/installation/configuration/enable-acl.md

@@ -3,7 +3,7 @@ title: Learner Nodes
 description: Deploy read-only replica instances for low-latency best-effort queries in remote geographic regions
 ---
 :::note
-**Enterprise Feature**: Learner nodes require a Dgraph Enterprise license. See [License](../../admin/enterprise-features/license) for details.
+**Enterprise Feature**: Learner nodes require a Dgraph Enterprise license. See [License](license) for details.
 :::
 
 Learner nodes are read-only replica instances that serve best-effort queries with zero latency overhead. Use learner nodes to provide low-latency access for clients in remote geographic regions distant from your main Dgraph cluster.