• Products
  • Documentation
  • Resources

Revoke your BYOK encryption keys

The BYOK encryption feature is available through an early access program (EAP) to a number of customers with Enterprise plans for Jira Software. For any issues, contact support.

You can revoke your BYOK encryption keys at any point. The revocation suspends all BYOK-enabled products both for your end users and for Atlassian systems. This means that the products are not accessible while keys are revoked, until they are restored.

To revoke BYOK encryption keys:

  1. Log in to your AWS console. If you need help with your AWS account, contact AWS support.

  2. Make sure that your Amazon account region is set to one of the two regions in the location chosen for the BYOK encryption. Read about the locations and regions after the final step.

  3. Go to the IAM console.

  4. Search for atlassian-key-management on the left side of the dashboard.

  5. Go to Trust relationships.

  6. In the Trusted entities section, select Edit trust policy.

  7. Change the Cryptor-OSB-Provider statement from Allow to Deny:

    1 2 3 4 5 6 7 { "Effect": "Deny", "Principal": { "AWS": "arn:aws:iam::279766244153:role/Cryptor-OSB-Provider" }, "Action": "sts:AssumeRole" }
  8. Select Update policy.

  9. Go to the KMS console and make sure to select the correct region.

  10. Select the checkboxes next to all the KMS keys prefixed with Cryptor.

  11. Select the Key actions drop-down list at the top right corner.

  12. Select Disable.

  13. In the pop-up message that appears, check the confirmation box and select Disable key to disable the KMS keys.

When admins set up BYOK encryption, they choose a location, either Europe or USA. Both locations have two regions:

  • Europe consists of eu-central-1 (Frankfurt) and eu-west-1 (Dublin) regions

  • USA consists of us-east-1 (N. Virginia) and us-west-2 (Oregon) regions.

You need to disable keys in both regions, so repeat this process until you've disabled all keys that are prefixed with Cryptor in both regions within your location.

It can take up to 45 minutes before the key revocation process starts.

What’s next?

We will create a revocation ticket and reach out to you within a couple of days.

Restoring the access after revocation

Access to BYOK encryption can be restored within three days of revocation. Learn how to restore BYOK encryption keys

Additional Help