Learn about security solutions and standards
Care about security? We do too. Learn what Atlassian does and what you can do too.
BYOK encryption for Jira, Jira Service Management, and Confluence is available to all customers with Enterprise plans.
Once you’ve set up your AWS account and created the IAM role, contact your Enterprise account representative so we can provision BYOK for you. You need to be an organization admin to do this.
Using the information you provide us, we'll set up your BYOK encryption and add a BYOK-encrypted product to your site.
If you want to add another BYOK-encrypted product to the same site, you need to contact your Enterprise account representative again so we can enable BYOK encryption for the new product. If you add a product directly via admin.atlassian.com, it will not be BYOK-encrypted.
After we create a BYOK-encrypted product for you, you can’t convert it into a non-BYOK product (i.e. a product with data encrypted with Atlassian-managed keys).
Contact your Enterprise account representative, and provide us with the following information:
Your AWS account ID. This is the AWS account that you created specifically for managing BYOK encryption for your Atlassian products. The ID is numeric, for example, 27976624415. How to find your AWS account ID
Cloud site name. The cloud site name you give should be a new and unique name. We'll add a BYOK-enabled product to this site name.
If you’ve already enabled BYOK for Jira, and you now want to enable BYOK for Confluence, you can give the site name used for Jira BYOK. It’s the same if you’ve enabled BYOK for Confluence and now want to enable it for Jira. So you can either use a new site for BYOK encryption, or an existing site that's been BYOK enabled.
Where do you want to host your product data. Your decision also dictates where your keys are hosted, since all customer-managed keys and product data live within the same data residency location. Learn about data residency
The location you can choose is either European Union or USA.
Both locations have two regions: European Union consists of eu-central-1 (Frankfurt) and eu-west-1 (Dublin) regions, and USA consists of us-east-1 (N. Virginia) and us-west-2 (Oregon) regions.
We'll automatically pin your BYOK product to the location you chose, and the created keys will reside in both AWS regions associated with that location.
Once we provision BYOK for you, you can't migrate the data between locations.
The products that you want to create the BYOK encryption for. This can be Jira, Confluence, or Jira Service Management.
BYOK encryption for Jira or Jira Service Management will extend to include product data for all Jira family products within the same site. This means that issue data for Jira and Jira Service Management on the same site will be encrypted with the keys managed in your external AWS account. Additionally, if you revoke your BYOK encryption keys access for Jira or Jira Service Management, all Jira family products on that site will be suspended. Learn about the Jira family of products
Once you provide us with all the information, we’ll provision the product instances with BYOK encryption, and you'll have certain product data encrypted with keys hosted in your external AWS account. Learn what data is managed with BYOK encryption
To view your BYOK-encrypted products:
Go to admin.atlassian.com. Select your organization if you have more than one.
Select Security > BYOK encryption.
Was this helpful?