What is BYOK encryption?

Bring Your Own Key (BYOK) encryption lets you encrypt Jira Software product data with keys hosted in your external AWS account. If you're participating in the Confluence EAP, you can also encrypt Confluence product data.

Learn what product data can be managed with BYOK

The encryption keys are provisioned and managed in AWS Key Management Service (KMS).

Benefits of BYOK encryption

BYOK encryption gives you:

• Added security for sensitive data. By hosting your own encryption keys, you manage and control the keys at all times.

• Increased control over access to data. Revoking access to the keys suspends access to all your products. With the ability to revoke access to encryption keys at any time, you can reduce risk of unauthorized access.

• Visibility into account activity across your AWS infrastructure. Record activity and access audit logs using AWS CloudTrail.

BYOK encryption vs Atlassian-managed encryption

If you don’t use BYOK encryption, your data is encrypted using Atlassian-managed keys.

BYOK encryption

The keys are provisioned and managed in the customers’ own AWS accounts.

Atlassian-managed encryption

Atlassian generates keys in an Atlassian-owned AWS account, and the keys are shared among customers.

Who can use BYOK encryption?

To use our BYOK encryption for Jira Software, you need a Cloud Enterprise or a Cloud Enterprise trial subscription.

To use our BYOK encryption for Confluence, you also need to participate in the Early Access Program (EAP).

What BYOK encryption involves

You first need to set up an AWS account and create an IAM role.

Next, contact your Enterprise account representative and provide us with information such as your AWS account ID, where you want to host your product data, and the products you want to encrypt using BYOK. We’ll set up BYOK encryption for you and add BYOK-encrypted products to your Enterprise plan. Learn how to set up BYOK encryption