Bring your own key (BYOK) encryption

Data encryption is a standard data protection layer that Atlassian cloud applies as part of its Defense in Depth principle against cyber threats. Symmetric keys and envelope encryption are used to protect customer data at rest.

Atlassian cloud manages encryption keys by default in AWS Key Management Service (KMS). For greater control over your product data, we offer bring-your-own-key (BYOK) encryption capability for a selected and growing product data portfolio.

Bring-your-own-key (BYOK)

The BYOK encryption model allows you to encrypt Atlassian product data with keys that are hosted in your own AWS KMS. This enables cryptographic isolation from other customers' data and provides additional controls, such as revocation of Atlassian’s access to your encryption keys, to protect your cloud data. AWS KMS can be integrated with AWS CloudTrail in your AWS account to provide you with logs of key usage.

Some of the benefits of the BYOK encryption model include:

• Enhanced security governance: Access to encryption keys hosted in your AWS account can be logged and monitored via AWS CloudTrail so that actions can be taken when necessary.
• Increased control of data access: You can revoke access to your encryption keys without vendor reliance and suspend access to your products. This allows you to mitigate the risk of unauthorized access at any time.
• Amplify compliance posture: Hosting your own encryption keys provides you with more control over your cloud data, satisfying compliance requirements

When you enable BYOK encryption on an Atlassian product, you will need to setup an AWS KMS account and a specific service role. This account must be solely dedicated to Atlassian products.

Availability

Please note that our program currently only supports new product instances and selected cloud products. Learn more about setting up BYOK. For more information, please contact our Support team.