Set up BYOK encryption

Adding a BYOK-encrypted Atlassian product

Once you’ve set up your AWS account and created the IAM role, contact your Enterprise account representative so we can provision BYOK for you. You need to be an organization admin to do this.

Using the information you provide us, we'll set up your BYOK encryption and add a BYOK-encrypted product to your site.

If you want to add another BYOK-encrypted product to the same site, you need to contact your Enterprise account representative again so we can enable BYOK encryption for the new product. If you add a product directly via admin.atlassian.com, it will not be BYOK-encrypted.

What information do you need to provide?

Contact your Enterprise account representative, and provide us with the following information:

• Your AWS account ID. This is the AWS account that you created specifically for managing BYOK encryption for your Atlassian products. The ID is numeric, for example, 27976624415. How to find your AWS account ID

• Cloud site name. The cloud site name you give should be a new and unique name. We'll add a BYOK-enabled product to this site name.
  If you’ve already enabled BYOK for Jira, and you now want to enable BYOK for Confluence, you can give the site name used for Jira BYOK. It’s the same if you’ve enabled BYOK for Confluence and now want to enable it for Jira. So you can either use a new site for BYOK encryption, or an existing site that's been BYOK enabled.

• Where do you want to host your product data. Your decision also dictates where your keys are hosted, since all customer-managed keys and product data live within the same data residency location. Learn about data residency

  • You can choose one of these locations: Europe, USA, Australia, Canada, Germany, India, Japan, South Korea, Singapore, or United Kingdom.

  • Locations with multiple regions:

    • Europe regions are eu-central-1 (Frankfurt) and eu-west-1 (Dublin)

    • USA regions are us-east-1 (N. Virginia) and us-west-2 (Oregon)

  • Locations with a single region:

    • Australia region is ap-southeast-2 (Sydney)

    • Canada region is ca-cantral-1 (Canada Central)

    • Germany region is eu-central-1 (Frankfurt)

    • India region is ap-south-1 (Mumbai)

    • Japan region is ap-northeast-1 (Tokyo)

    • South Korea region is ap-northeast-2 (Seoul)

    • Singapore region is ap-southeast-1 (Singapore)

    • United Kingdom region is eu-west-2 (London)

  • We'll automatically pin your BYOK product to the location you chose. For locations with multiple regions, the created keys will reside in all AWS regions associated with that location. For the rest, the created keys will reside in the single AWS region associated with that location.

  • Once we provision BYOK for you, you can't migrate the data between locations.

• The products that you want to create the BYOK encryption for. This can be Jira, Confluence, or Jira Service Management.
  BYOK encryption for Jira or Jira Service Management will extend to include product data for all Jira family products within the same site. This means that issue data for Jira and Jira Service Management on the same site will be encrypted with the keys managed in your external AWS account. Additionally, if you revoke your BYOK encryption keys access for Jira or Jira Service Management, all Jira family products on that site will be suspended. Learn about the Jira family of products

Once you provide us with all the information, we’ll provision the product with BYOK encryption, and you'll have certain product data encrypted with keys hosted in your external AWS account. Learn what data is managed with BYOK encryption

View your BYOK-encrypted products

To view your BYOK-encrypted products:

1. Go to Atlassian Administration. Select your organization if you have more than one.

2. Select Security > BYOK encryption.