BYOK frequently asked questions

Atlassian products and plans

Which Atlassian Cloud plans offer BYOK encryption for EAP?

Cloud Enterprise and Cloud Enterprise trial plans.

Which Atlassian cloud products can I configure with BYOK

Jira Software and Jira Service Management (JSM).

What data is covered by BYOK encryption in the EAP?

• Issue Summary, Description and fields content (including system and custom fields)

• Comments

• Attachments (except for attachments metadata)

• Search data

Learn more about what data can be managed with BYOK encryption

How does BYOK impact performance for Atlassian products?

There is minimal overhead resulting in an unnoticeable impact.

Org, site, and product instances

Can I enable BYOK encryption on existing product instances?

No, BYOK encryption can be enabled only on new product instances.

Can I enable BYOK on the Cloud site level, or on individual product instances?

You can only enable BYOK at the product instance level, not on the Cloud site level. This means that if you create a BYOK-enabled Jira Software instance, and you add a Confluence product instance to the same site during the EAP, then that Confluence product instance will not be BYOK-enabled.

It’s different with the JIra software family, the BYOK setting must be consistent for all Jiras products on a site, because all Jira products are linked. For example, If JSM is BYOK-enabled, then JSW must be also BYOK-enabled on the same site.

How many encryption policies can I set up for my organization?

You can have only one BYOK encryption policy (combination of AWS account ID and data residency location) per organization.

Can I use admin.atlassian.com to set up BYOK Encryption?

During the BYOK EAP, BYOK encryption can only be enabled by Atlassian support teams. Learn how to set up BYOK encryption

Encryption keys

Which key management solutions/workflows are supported with Atlassian BYOK?

The encryption keys are provisioned and managed in AWS Key Management Service (KMS).

What happens if I want to re-encrypt my data with new keys?

Re-encryption is not available during EAP.

How frequently can I rotate my encryption keys?

AWS KMS auto-rotation can only be set with once-a-year key rotation. Note that this creates new keys that are used going forward; the old keys still exist.

Revoking keys

At what granularity can I revoke keys to prevent access to my data?

Revocation granularity is for all data associated with a your BYOK encryption configuration. Revocation disables access to all BYOK-enabled product instances.

After I revoke keys, how soon is Atlassian’s access to my data stopped?

Atlassian systems stop having access to your data within 24 hours. This is the expected time, but we don’t guarantee this.

How do I restore my encryption keys after I’ve revoked them?

The key restoration process is detailed in Restore your BYOK encryption keys.

Logging

What information can I see with regards to when/how/why my keys are accessed?

You can log root key access in your KMS via AWS CloudTrail. For help with this, contact AWS support.

Data residency

Once a BYOK-enabled product instance is created, can I migrate its data to a different data residency location?

When you set up your BYOK encryption, you are asked to choose a data residency location. You won’t be able to change to a different location after a BYOK instance has been created.

Atlassian’s Service Level Agreement

If I use BYOK, are my products still subject to Atlassian’s Service Level Agreement?

No, new instances using BYOK are excluded from Atlassian’s SLA, per Section 3(e).