Introducing bring-your-own-key encryption (BYOK)
All customer data in Atlassian cloud products is encrypted at rest and in transit using Atlassian-managed keys in AWS Key Management Service (KMS). Soon, we will offer BYOK encryption, giving you the ability to encrypt your cloud product data with keys hosted in your own AWS account. With BYOK encryption, you will have more control over the management of your keys and will be able to revoke access at any time, both for your own end-users and for Atlassian systems.
There are many benefits of BYOK encryption:
- Reduced risk: BYOK adds another layer of protection for sensitive data.
- Improved data governance: Access to encryption keys hosted in your AWS account can be logged and monitored via AWS CloudTrail.
- Increased control: You can revoke access to your encryption keys without vendor reliance.
Atlassian's BYOK approach
We'll support encryption using encryption keys hosted in your AWS account via the AWS Key Management Service (KMS). AWS KMS can be integrated with AWS CloudTrail in your AWS account to provide you with logs of key usage. This solution enables encryption of your data at different layers throughout the applications.
When you enable BYOK encryption on an Atlassian product, you will need to set up an AWS KMS account and a specific service role. This account must be solely dedicated to Atlassian products.
The Early Access Program (EAP) providing encryption at rest for Jira Issue data will be available in mid-2022. This includes standard and custom Issue fields in new product instances only.
The content described herein is intended to outline our general product direction for informational purposes only. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described herein remain at the sole discretion of Atlassian and is subject to change.