• Products
  • Documentation
  • Resources

What is BYOK encryption?

BYOK encryption for Jira and Confluence is available to all customers with Enterprise plans.

BYOK encryption for Jira Service Management is available through an early access program (EAP) to a number of customers with Enterprise plans. If you're interested in participating in the EAP, reach out to your Enterprise account representative.

Bring Your Own Key (BYOK) encryption lets you encrypt product data for Jira, Confluence, or Jira Service Management (EAP only) with keys hosted in your external AWS account. Learn what product data can be managed with BYOK

Benefits of BYOK encryption

BYOK encryption gives you:

  • Added security for sensitive data. By hosting your own encryption keys, you manage and control the keys at all times.

  • Increased control over access to data. Revoking access to the keys suspends access to all your products. With the ability to revoke access to encryption keys at any time, you can reduce risk of unauthorized access.

  • Visibility into account activity across your AWS infrastructure. Record activity and access audit logs using AWS CloudTrail.

BYOK encryption vs Atlassian-managed encryption

If you don’t use BYOK encryption, your data is encrypted using Atlassian-managed keys.

BYOK encryption

The keys are provisioned and managed in the customers’ own AWS accounts.

Atlassian requests keys to be provisioned in the customers’ own AWS accounts.

Atlassian-managed encryption

Atlassian generates keys in an Atlassian-owned AWS account, and the keys are shared among customers.

Keys generated by Atlassian in an Atlassian-owned AWS account, and shared among customers.

Who can use BYOK encryption?

To use our BYOK encryption for Jira or Confluence, you need a Cloud Enterprise or a Cloud Enterprise trial subscription.

To use our BYOK encryption for Jira Service Management, you also need to participate in the Early Access Program (EAP). If you’re interested to join, contact your Enterprise account representative.

What BYOK encryption involves

You first need to set up an AWS account and create an IAM role.

Next, contact your Enterprise account representative and provide us with information such as your AWS account ID, where you want to host your product data, and the products you want to encrypt using BYOK. We’ll set up BYOK encryption for you and add BYOK-encrypted products to your Enterprise plan. Learn how to set up BYOK encryption


Additional Help