• Products
  • Documentation
  • Resources

Set up BYOK encryption

The BYOK encryption feature is available through an early access program (EAP) to a number of customers with Enterprise plans for Jira Software. For any issues, contact support.

During this EAP, using BYOK excludes the relevant products from our Atlassian’s Service Level Agreement.

Once you’ve set up your AWS account and created IAM roles, you need to contact us so we can create the BYOK-enabled product instance for you. You need to be an organization admin to do this.

Contact your account representative, and provide us with all the following information:

  • Your AWS account ID. The ID is numeric, for example, 279766244153. How to find your AWS account ID

  • Cloud site name. We'll add a BYOK-enabled product to your preferred site name. You can't use an existing site for BYOK encryption.

  • Desired number of users for your BYOK-enabled product. Enterprise plans are billed annually based on your user tier, which is the maximum number of people that can use or be invited to that product. Learn how Enterprise billing works

  • Where do you want to host your product data. Your decision also dictates where your keys are hosted, since all customer-managed keys and product data live within the same data residency location. Learn about data residency

    • The location is either Europe or USA, and both locations have two regions: Europe consists of eu-central-1 (Frankfurt) and eu-west-1 (Dublin) regions, and USA consists of us-east-1 (N. Virginia) and us-west-2 (Oregon) regions.

    • We'll automatically pin your BYOK instance to a location, and the created keys will be in associated AWS regions to that location.

    • Once we provision BYOK for you, you can't migrate the data between locations.

  • The products that you want to create the BYOK encryption for. This can be either Jira Software (JSW), Jira Service Management (JSM), or both. But whatever you choose, the BYOK setting must be consistent for all Jiras products on a site, because all Jira products are linked. For example, If JSM is BYOK-enabled, then JSW must be also BYOK-enabled on the same site. Learn about the Jira family of products

Once we create a BYOK-enabled product for you, you can’t convert it into a non-BYOK product (i.e. a product with data encrypted with Atlassian-managed keys).


Additional Help