Set up BYOK encryption
Who can do this? |
Adding a BYOK-encrypted Atlassian app
Once you’ve set up your AWS account and created the IAM role, contact your Enterprise account representative so we can provision BYOK for you. You need to be an organization admin to do this.
Using the information you provide us, we'll set up your BYOK encryption and add a BYOK-encrypted app to your site.
If you want to add another BYOK-encrypted app to the same site, you need to contact your Enterprise account representative again so we can enable BYOK encryption for the new app. If you add a app directly via admin.atlassian.com, it will not be BYOK-encrypted.
Currently, we don’t support migration of data between locations once we’ve provisioned BYOK encryption for you.
After we create a BYOK-encrypted app for you, you can’t convert it into a non-BYOK app (i.e. a app with data encrypted with Atlassian-managed keys).
What information do you need to provide?
Contact your Enterprise account representative, and provide us with the following information:
Your AWS account ID. This is the AWS account that you created specifically for managing BYOK encryption for your Atlassian apps. The ID is numeric, for example,
27976624415. How to find your AWS account IDCloud site name. The cloud site name you give should be a new and unique name. We'll add a BYOK-enabled app to this site name.
If you’ve already enabled BYOK for Jira, and you now want to enable BYOK for Confluence, you can give the site name used for Jira BYOK. It’s the same if you’ve enabled BYOK for Confluence and now want to enable it for Jira. So you can either use a new site for BYOK encryption, or an existing site that's been BYOK enabled.Where do you want to host your app data. Your decision also dictates where your keys are hosted, since all customer-managed keys and app data live within the same data residency location. Learn about data residency
You can choose one of these locations: Europe, USA, Australia, Canada, Germany, India, Japan, South Korea, Singapore, or United Kingdom.
Locations with multiple regions:
Europe regions are
eu-central-1(Frankfurt) andeu-west-1(Dublin)USA regions are
us-east-1(N. Virginia) andus-west-2(Oregon)
Locations with a single region:
Australia region is
ap-southeast-2(Sydney)Canada region is
ca-cantral-1(Canada Central)Germany region is
eu-central-1(Frankfurt)India region is
ap-south-1(Mumbai)Japan region is
ap-northeast-1(Tokyo)South Korea region is
ap-northeast-2(Seoul)Singapore region is
ap-southeast-1(Singapore)United Kingdom region is
eu-west-2(London)
We'll automatically pin your BYOK app to the location you chose. For locations with multiple regions, the created keys will reside in all AWS regions associated with that location. For the rest, the created keys will reside in the single AWS region associated with that location.
Once we provision BYOK for you, you can't migrate the data between locations.
The apps that you want to create the BYOK encryption for. This can be Jira, Confluence, or Jira Service Management.
BYOK encryption for Jira or Jira Service Management will extend to include app data for all Jira family apps within the same site. This means that issue data for Jira and Jira Service Management on the same site will be encrypted with the keys managed in your external AWS account. Additionally, if you revoke your BYOK encryption keys access for Jira or Jira Service Management, all Jira family apps on that site will be suspended. What is the Jira family of apps?
Once you provide us with all the information, we’ll provision the app with BYOK encryption, and you'll have certain app data encrypted with keys hosted in your external AWS account. Learn what data is managed with BYOK encryption
View your BYOK-encrypted apps
To view your BYOK-encrypted apps:
Go to Atlassian Administration. Select your organization if you have more than one.
Select Security > BYOK encryption.
Was this helpful?