• Documentation
Products
Documentation
Resources
Atlassian Support
/
Security and access policies Resources
/
Manage bring your own key encryption

BYOK frequently asked questions

BYOK encryption for Jira, Jira Service Management, and Confluence is available to all customers with Enterprise plans.

Atlassian products and plans

Which Atlassian Cloud plans offer BYOK encryption?

Cloud Enterprise and Cloud Enterprise trial plans.

Which Atlassian cloud products can I encrypt with BYOK?

Jira, Jira Service Management, and Confluence for all customers with Enterprise plans.

What data is covered by BYOK encryption?

Jira:

  • Issue Summary, Description, and field content (including system and custom fields)

  • Comments

  • Attachments (except for attachments metadata)

  • Search data

  • Permissions and restriction configuration data

Jira Service Management:

  • Issue Summary, Description, and field content (including system and custom fields)

  • Comments

  • Attachments (except for attachments metadata)

  • Search data

  • Permissions and restriction configuration data

  • Asset data

Confluence:

  • Page content

  • Blog content

  • Comments

  • Attachments

  • Confluence questions

  • Whiteboards

  • Permissions and restriction configuration data

Learn more about what data can be managed with BYOK encryption

How does BYOK impact performance for Atlassian products?

There is minimal overhead resulting in an unnoticeable impact.

Org, site, and product instances

Can I enable BYOK encryption on existing product instances?

No, currently we support enabling BYOK encryption only on new product instances.

What happens if I add another product to my site?

You can add a product to your site after you enabled BYOK for another product, but the new product won't have BYOK encryption by default.

If you want to add a BYOK product to your site after you've enabled BYOK for another product, you need to reach out to your Atlassian Enterprise account representative to add the product to your site. If you add the product directly, it will not be BYOK enabled. Learn how to set up BYOK encryption

Can I enable BYOK on the Cloud site level, or on individual product instances?

You can only enable BYOK at the product instance level, not on the Cloud site level. This means that if you create a BYOK-enabled Jira instance, and you add a Confluence product instance to the same site, then that Confluence product instance won't be BYOK-enabled by default.

It’s different with the Jira family. If either Jira or Jira Service Management is BYOK encrypted, a substantial part of the other product will also be BYOK encrypted. However, in order to enable a more complete encryption coverage, the other product also needs to be on an Enterprise plan and you need to request to enable BYOK encryption for the product.

How many encryption configurations can I set up for my organization?

We currently support only one BYOK encryption configuration (combination of AWS account ID and data residency location) per organization.

Can I use admin.atlassian.com to set up BYOK Encryption?

BYOK encryption can only be provisioned by Atlassian support.
Set up BYOK encryption

Encryption keys

Which key management solutions/workflows are supported with Atlassian BYOK?

The Customer Master keys are provisioned and managed in AWS Key Management Service (KMS).

What happens if I want to re-encrypt my data with new keys?

You can request re-encryption when needed. Learn more about requesting re-encryption

How frequently can I rotate my encryption keys?

You don’t have to contact Atlassian to perform key rotation, just follow the instructions provided by AWS for rotating keys.

AWS KMS key rotation is set by default to once a year. AWS also supports a configurable rotation period between 90 and 2560 days, as well as on-demand rotation.

Note that this creates new keys that are used going forward; the old keys still exist.

Revoking access to keys

At what granularity can I revoke access to keys to prevent access to my data?

Revocation granularity is for all data associated with a your BYOK encryption configuration. Revocation disables access to all BYOK-enabled product instances.

How do I restore access to my encryption keys after I’ve revoked access to them?

You’ll need to update a policy in AWS, and then contact your Enterprise account representative. Learn how to restore access to your encryption keys.

Logging

What information can I see with regards to when/how/why my keys are accessed?

You can log root key access in your KMS via AWS CloudTrail. For help with this, contact AWS support.

Still need help?

The Atlassian Community is here for you.
Ask the Community
On this pageAtlassian products and plansWhich Atlassian Cloud plans offer BYOK encryption?Which Atlassian cloud products can I encrypt with BYOK?What data is covered by BYOK encryption?How does BYOK impact performance for Atlassian products?Org, site, and product instancesCan I enable BYOK encryption on existing product instances?What happens if I add another product to my site?Can I enable BYOK on the Cloud site level, or on individual product instances?How many encryption configurations can I set up for my organization?Can I use admin.atlassian.com to set up BYOK Encryption?Encryption keysWhich key management solutions/workflows are supported with Atlassian BYOK?What happens if I want to re-encrypt my data with new keys?How frequently can I rotate my encryption keys?Revoking access to keysAt what granularity can I revoke access to keys to prevent access to my data?How do I restore access to my encryption keys after I’ve revoked access to them?LoggingWhat information can I see with regards to when/how/why my keys are accessed?
CommunityQuestions, discussions, and articles