• Products
  • Documentation
  • Resources

Restore your BYOK encryption keys

The BYOK encryption feature is available through an early access program (EAP) to a number of customers with Enterprise plans for Jira Software. For any issues, contact support.

If your BYOK encryption keys are revoked, you can restore them within three days of revocation. This will restore access to your Atlassian products both for your end users and for Atlassian systems. Learn how to revoke BYOK encryption keys

To restore BYOK encryption keys:

  1. Log in to your AWS console. If you need help with your AWS account, contact AWS support.

  2. Go to the IAM console.

  3. Search for atlassian-key-management on the left side of the dashboard.

  4. Go to Trust relationships.

  5. In the Trusted entities section, select Edit trust policy.

  6. Change the Cryptor-OSB-Provider statement from Deny to Allow:

    1 2 3 4 5 6 7 { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::279766244153:role/Cryptor-OSB-Provider" }, "Action": "sts:AssumeRole" }
  7. Select Update policy.

  8. Go to the KMS console and make sure to select the correct region.

  9. Select the checkboxes next to the KMS keys prefixed with Cryptor.

  10. Select the Key actions drop-down list at the top right corner.

  11. Select Enable.

  12. Let us know you’re ready for restoration so we can start the process on our end. Do this either via your existing revocation ticket, or contact support.

When admins set up BYOK encryption, they choose a location, either Europe or USA. Both locations have two regions:

  • Europe consists of eu-central-1 (Frankfurt) and eu-west-1 (Dublin) regions

  • USA consists of us-east-1 (N. Virginia) and us-west-2 (Oregon) regions

You need to enable keys in both regions, so repeat this process until you've enabled all keys that are prefixed with Cryptor in both regions within your location.

Additional Help