• Documentation
Products
Documentation
Resources
Atlassian Support
/
Security and access policies Resources
/
Manage bring your own key encryption

Revoke access to your BYOK encryption keys

BYOK encryption for Jira, Jira Service Management, and Confluence is available to all customers with Enterprise plans.

You can revoke access to your BYOK encryption keys at any point. The revocation suspends all BYOK-enabled products both for your end users and for Atlassian systems. This means that the products are offline until access to the BYOK keys is restored.

To revoke access to your BYOK encryption keys:

  1. Log in to your AWS console. If you need help with your AWS account, contact AWS support.

  2. Make sure that your Amazon account region is set to a region in the location chosen for the BYOK encryption. Read about the locations and regions after the final step.

  3. Go to the IAM console.

  4. Search for atlassian-key-management on the left side of the dashboard.

  5. Go to Trust relationships.

  6. In the Trusted entities section, select Edit trust policy.

  7. Change the Cryptor-OSB-Provider statement from Allow to Deny:

    1 2 3 4 5 6 7 { "Effect": "Deny", "Principal": { "AWS": "arn:aws:iam::279766244153:role/Cryptor-OSB-Provider" }, "Action": "sts:AssumeRole" }

  8. Select Update policy.

  9. Go to the KMS console and make sure to select the correct region.

  10. Select the checkboxes next to all the KMS keys prefixed with cryptor.

  11. Select the Key actions drop-down list at the top right corner.

  12. Select Disable.

  13. In the pop-up message that appears, check the confirmation box and select Disable key to disable the KMS keys.

When admins request to set up BYOK encryption, they choose a location for the product data. For multiple-region locations, repeat this restoration process for all regions within your location. See the supported locations and their regions

It can take up to an hour before the process to revoke access to your keys starts.

When admins request to set up BYOK encryption, they choose a location for the product data. For multiple-region locations, repeat this revocation process for all regions within your location. See the supported locations and their regions

What’s next?

We'll create a support ticket titled BYOK revocation started for AWS account, and reach out to you within a couple of days.

Restoring access after revocation

Access to your encryption keys can be restored within 15 days of revocation. Learn how to restore access to BYOK encryption keys

Still need help?

The Atlassian Community is here for you.
Ask the Community
On this pageWhat’s next?Restoring access after revocation
CommunityQuestions, discussions, and articles