Encryption frequently asked questions

Atlassian apps and plans

Which Atlassian Cloud plans offer BYOK or CMK encryption?

Cloud Enterprise and Cloud Enterprise trial plans.

Which Atlassian cloud apps can I encrypt with BYOK or CMK?

Jira, Jira Service Management, and Confluence for all customers with Enterprise plans.

What data is covered by BYOK or CMK encryption?

When you apply BYOK or CMK encryption to your apps, not all data types are encrypted with BYOK or CMK encryption. View the full list of data types that can be managed with CMK encryption

How does BYOK or CMK impact performance for Atlassian apps?

There is minimal overhead resulting in an unnoticeable impact.

Org, site, and app instances

Can I enable BYOK or CMK encryption on existing app instances?

No, currently we support enabling BYOK or CMK encryption only on new app instances.

What happens if I add another app to my site?

You can add an app to your site after you enabled BYOK or CMK for another app, but the new appwon't have BYOK or CMK encryption by default.

If you want to add a BYOK or CMK app to your site after you've enabled BYOK or CMK for another app, you need to reach out to your Atlassian Enterprise account representative to add the app to your site. If you add the app directly, it will not be BYOK or CMK enabled. Understand how to set up CMK encryption

How long does it take to to provision apps with CMK?

After you have successfully enrolled your Atlassian cloud organization in the CMK encryption policy, subsequent requests for site/app provisioning are generally fulfilled within two business days after the corresponding support ticket is processed.

Can I enable BYOK or CMK on the Cloud site level, or on individual app instances?

You can only enable BYOK or CMK at the app instance level, not on the Cloud site level. This means that if you create a BYOK or CMK-enabled Jira Software instance, and you add a Confluence app instance to the same site, then that Confluence app instance won't be BYOK or CMK-enabled by default.

It’s different with the Jira software family. If either Jira Software or Jira Service Management is BYOK or CMK encrypted, a substantial part of the other app will also be BYOK or CMK encrypted. However, in order to enable a more complete encryption coverage, the other app also needs to be on an Enterprise plan and you need to request to enable BYOK or CMK encryption for the app.

How many encryption configurations can I set up for my organization?

We currently support only one BYOK or CMK encryption configuration (combination of AWS account ID and data residency location) per organization.

Can I use admin.atlassian.com to set up BYOK or CMK Encryption?

BYOK or CMK encryption can only be provisioned by Atlassian support.

Encryption keys

Which key management solutions/workflows are supported with Atlassian BYOK or CMK encryption?

The Customer KMS keys are provisioned and managed in AWS Key Management Service (KMS).

What happens if I want to re-encrypt my data with new keys?

You can request re-encryption when needed. Understand more about requesting re-encryption

Can I migrate data after encryption?

Currently, we don’t support migration of data between locations once we’ve provisioned BYOK or CMK encryption for you.

How frequently can I rotate my encryption keys?

You don’t have to contact Atlassian to perform key rotation, just follow the instructions provided by AWS for rotating keys.

Note that this creates new key materials that are used going forward; the old key materials still exist for decryption.

Atlassian access requests

Why does Atlassian need to update access permission in my AWS Key Policy?

Atlassian needs permissions on certain KMS keys to ensure that Atlassian Cloud apps function correctly and add new Cloud apps. From time to time, you will be required to update your key policy template in order for Atlassian to continue to service your BYOK or CMK-enabled Cloud apps.

What happens if I decline or ignore Atlassian’s access requests?

Your BYOK or CMK-enabled Cloud apps may not function correctly and we will not be able to add additional platform apps. Additionally, we may need to suspend these Cloud apps until you provide us with the necessary access.

Revoking access to keys

At what granularity can I revoke access to keys to prevent access to my data?

Revocation granularity is for all data associated with your BYOK or CMK keys. Revocation disables access to all CMK-enabled app instances.

How do I restore access to my encryption keys after I’ve revoked access to them?

To submit restoration requests, you must be a registered Atlassian organization admin, due to security protocols. Understand how to restore access to your encryption keys

For CMK after requesting to restore access through a support ticket, the process is generally completed within two business days after the ticket is addressed. However, this timeframe may vary based on the volume of data and the specific patterns associated with the case.

How long does it take to suspend CMK-enabled cloud sites?

After you have successfully revoked access to your AWS account , it typically takes up to 30 minutes or 1 hour for the suspension of CMK-enabled cloud sites to take effect.

Understand how to revoke access

Please note that there may be a potential data loss of up to 1 hour leading up to the revocation event.

Logging

What information can I see with regards to when/how/why my keys are accessed?

Key logs are available through your AWS account. They provide additional monitoring of your KMS keys and allow you to make informed decisions about appropriate use and access.

When setting up AWS KMS, you can enable AWS CloudTrail, which provides you with information about activities carried out via AWS KMS.