Customer-managed key encryption for backups
At Atlassian, we offer two key models for encrypting data at rest:
Atlassian-managed keys (provided by Atlassian)
Understanding the differences between Atlassian-managed and Customer-managed keys is essential for managing your organization's data security. Choose the key model that suits your organization’s policies.
Default Atlassian-managed keys
Default encryption is automatically applied to all data within Atlassian apps. This model uses Atlassian-managed keys to encrypt data, providing a seamless and secure experience without requiring any additional setup from the customers.
Customer-managed keys
Customer-managed keys (CMK) allow organizations to manage their own encryption keys using AWS Key Management Service (KMS). This model provides greater control over encryption keys. Read about setting up and managing customer-managed keys
Back up and restore encrypted Atlassian apps
Back up encrypted Atlassian apps | If you have enrolled in the CMK encryption policy, backups stored in the Atlassian storage will be encrypted with CMK. |
|---|---|
Restore encrypted Atlassian apps | You can restore a CMK-enabled backup with CMK to a CMK-enabled app instance. |
Back up and restore re-encrypted Atlassian apps
Re-encryption is the process of altering the underlying key material for encrypted data. For Atlassian CMK, this involves decrypting the existing ciphertext using the old key and then re-encrypting the resulting plaintext with a new key. This makes the old keys, together with the backups protected with the old keys, non-functional.
Re-encryption is only applied to the data in scope for CMK. Data protected by Atlassian-managed keys can’t be altered with CMK re-encryption requests.
Back up re-encrypted Atlassian apps | Backups are protected with the active encryption keys in use at that time. When you re-encrypt apps and then back up data, all your previous backups encrypted with old keys are disabled. For data integrity, backups are skipped during the re-encryption process. All backups taken after re-encryption will be encrypted with the new keys. |
|---|---|
Restore re-encrypted Atlassian apps | When restoring a backup, the encryption keys used to back up the data should be active for the restoration to be successful. When an app is re-encrypted, old backups aren’t re-encrypted with the new keys. After re-encryption, you will not be able to access backups that were encrypted with old keys. |
Back up and restore Atlassian apps when keys are revoked
When existing keys are revoked, this will affect your backups and restores.
Back up Atlassian apps when keys are revoked | When you revoke keys in AWS:
|
Restore Atlassian apps when keys are revoked | When you revoke keys, any backups encrypted with those keys become unusable. |
Was this helpful?