• Products
  • Documentation
  • Resources

Set up BYOK encryption

BYOK encryption for Jira Software and Confluence is available to all customers with Enterprise plans.

BYOK encryption for Jira Service Management is available through an early access program (EAP) to a number of customers with Enterprise plans. If you're interested in participating in the EAP, reach out to your Enterprise account representative.

Adding a BYOK-encrypted Atlassian product

Once you’ve set up your AWS account and created the IAM role, contact your Enterprise account representative so we can provision BYOK for you. You need to be an organization admin to do this.

Using the information you provide us, we'll set up your BYOK encryption and add a BYOK-encrypted product to your site.

If you want to add another BYOK-encrypted product to the same site, you need to contact your Enterprise account representative again so we can enable BYOK encryption for the new product. If you add a product directly via admin.atlassian.com, it will not be BYOK-encrypted.

After we create a BYOK-encrypted product for you, you can’t convert it into a non-BYOK product (i.e. a product with data encrypted with Atlassian-managed keys).

What information do you need to provide?

Contact your Enterprise account representative, and provide us with the following information:

  • Your AWS account ID. This is the AWS account that you created specifically for managing BYOK encryption for your Atlassian products. The ID is numeric, for example, 27976624415. How to find your AWS account ID

  • Cloud site name. The cloud site name you give should be a new and unique name. We'll add a BYOK-enabled product to this site name.
    If you’ve already enabled BYOK for Jira, and you now want to enable BYOK for Confluence, you can give the site name used for Jira BYOK. It’s the same if you’ve enabled BYOK for Confluence and now want to enable it for Jira. So you can either use a new site for BYOK encryption, or an existing site that's been BYOK enabled.

  • Desired number of users for your BYOK-enabled product. Enterprise plans are billed annually based on your user tier, which is the maximum number of people that can use or be invited to that product. Learn how Enterprise billing works

  • Where do you want to host your product data. Your decision also dictates where your keys are hosted, since all customer-managed keys and product data live within the same data residency location. Learn about data residency

    • The location you can choose is either European Union or USA.

    • Both locations have two regions: European Union consists of eu-central-1 (Frankfurt) and eu-west-1 (Dublin) regions, and USA consists of us-east-1 (N. Virginia) and us-west-2 (Oregon) regions.

    • We'll automatically pin your BYOK product to the location you chose, and the created keys will reside in both AWS regions associated with that location.

    • Once we provision BYOK for you, you can't migrate the data between locations.

  • The products that you want to create the BYOK encryption for. This can be Jira Software, Confluence, or Jira Service Management (EAP only).
    BYOK encryption for Jira Software or Jira Service Management will extend to include product data for all Jira family products within the same site. This means that issue data for Jira Software, Jira Service Management, and Jira Work Management on the same site will be encrypted with the keys managed in your external AWS account. Additionally, if you revoke your BYOK encryption keys access for Jira software or Jira Service Management, all Jira family products on that site will be suspended. Learn about the Jira family of products

Once you provide us with all the information, we’ll create the BYOK encryption for you, and you will have certain product data encrypted with keys hosted in your external AWS account. Learn what data is managed with BYOK encryption

View your BYOK-encrypted products

To view your BYOK-encrypted products:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. Select Security > BYOK encryption.

Additional Help