What is CMK encryption?
Customer-managed keys (CMK) give you greater control and visibility over your encryption keys to protect your organization’s Atlassian Cloud data. CMK is currently in Open Beta, and customers not already enrolled in BYOK can enroll in it. BYOK will eventually be deprecated and migrated to CMK.
Encryption is a sophisticated process designed to safeguard your data by transforming it into a format that is unreadable to anyone who does not possess the necessary key for decryption.
Who can do this? |
Customer-managed keys (CMK) vs Atlassian-managed keys
Your Atlassian cloud data at-rest is automatically encrypted using Atlassian managed keys. However, if you enroll your own AWS KMS (Key Management Service) keys, your app data will be encrypted with those instead.
Customer-managed keys
The KMS keys are provisioned and managed by the customer from their own AWS accounts.
Atlassian managed keys
Atlassian generates service-level keys in an Atlassian-owned AWS account, and the keys are shared across cloud customers within its defined service-level boundary and tenant context.
Benefits of CMK
CMK give you:
Added cryptographic separation for app data: Providing additional data isolation from other Cloud tenants. This is achieved through the use of a distinct set of encryption keys that you manage.
Full control over the lifecycle of keys: Hosting your own encryption keys allows you to independently manage and control your keys at all times.
Increased control over access: Revoking access to the keys, suspends access to all your apps at any time. You can mitigate the risk of unauthorized access.
Visibility into encryption activity: Controlling your own keys allows you to monitor encryption key access activity, validating proper usage and access using AWS CloudTrail.
Additional encryption security controls
Additional security options are provided as part of our CMK model to enable you to apply security controls on your key resources at network and application levels. Explore the steps to update AWS KMS key policy.
VPC endpoint for Key Management Service (KMS) access control
VPC endpoints create secure, private connections to AWS services, keeping data within a protected environment and off the public internet, minimizing threat exposure.
Two primary use cases for accessing your encryption key resources are client-side or application-level encryption (Atlassian encrypts data before persistence), and server-side encryption (including volume-level encryption). For application-level encryption, Atlassian's traffic uses managed VPC endpoints. For server-side, VPC endpoint KMS restrictions don't apply as AWS fully manages its internal network traffic.
Encryption context identifier
Tenant-specific encryption context enforces AWS KMS encryption context on application-level and server-side encrypted data. AWS KMS uses this context as additional authenticated data (AAD) in its AEAD encryption. This context, which is not secret, is cryptographically bound to the ciphertext.
During CMK enrollment, you provide a human-readable tag; Atlassian generates a unique encryption context identifier (a key-value pair including your tag). This identifier, used as AAD in AEAD and visible in CloudTrail logs, lets you add conditional statements to your KMS key policy for security restrictions, reducing risks like confused deputy problem and ensuring data integrity.
How to enroll in Atlassian CMK
To begin, ensure that you are using AWS KMS as your "root of trust" and create a provisional KMS Key Policy that will be applied to your app data in Atlassian Cloud.
Next, submit a support ticket containing the required information for CMK enrollment. We will enroll your AWS KMS keys into the CMK encryption policy of your Atlassian organization. Explore how to set up CMK-enabled Atlassian apps.
Here is the overview of the process:
Where can I find more details about Atlassian CMK
We provide a complimentary whitepaper to help you understand Atlassian CMK.
Was this helpful?