Bring your own key (BYOK) encryption

All customer data in Atlassian Cloud products is encrypted at rest and in transit using Atlassian-managed keys in AWS Key Management Service (KMS).  In Cloud Enterprise, you can also choose to use BYOK encryption to encrypt product data with keys hosted in your own AWS account. With BYOK encryption, you will have greater control over the management of your keys and will be able to revoke access at any time, both for your own end-users and for Atlassian systems.

There are many benefits of BYOK encryption:

  • Reduced risk: BYOK adds another layer of protection for sensitive data.
  • Improved data governance: Access to encryption keys hosted in your AWS account can be logged and monitored via AWS CloudTrail.
  • Increased control: You can revoke access to your encryption keys without vendor reliance.


Atlassian's BYOK approach

We support encryption using encryption keys generated and hosted in your AWS account via the AWS Key Management Service (KMS). AWS KMS can be integrated with AWS CloudTrail in your AWS account to provide you with logs of key usage. This solution enables encryption of your data at different layers throughout the applications.

When you enable BYOK encryption on an Atlassian product, you will need to setup an AWS KMS account and a specific service role. This account must be solely dedicated to Atlassian products.


BYOK encryption* is generally available (GA) for Jira Software and in an early access program (EAP) for Confluence as part of our Cloud Enterprise plan. If you would like to participate in either program, please reach out to your Atlassian representative or contact our support team.

*Our program currently only supports new product instances. Visit our documentation to learn more.

The content described herein is intended to outline our general product direction for informational purposes only. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described herein remain at the sole discretion of Atlassian and is subject to change.