Bring Your Own Key (BYOK) encryption for Jira Service Management is now available

Hey everyone!

We are excited to announce that Bring Your Own Key (BYOK) encryption for Jira Service Management is now available to all customers with Enterprise plans.

For customers who are required to apply BYOK encryption to their Cloud infrastructure, the Atlassian BYOK encryption program will enable your own key space for encrypting and decrypting data at-rest. This gives you greater control over your cloud data and, therefore, greater comfort in meeting your compliance requirements or improving your security posture.

To get started with Jira Service Management BYOK encryption, please reach out to your account representative.

Beyond the initial general availability scope, our team is committed to evolving our approach to BYOK and providing more data protection controls to our customers. We’d love to learn more about your encryption needs—please share them in the comments section below.

I’m including a few of the most frequently asked questions below. To learn more, please check out our BYOK support hub. If your questions are not answered, please don’t hesitate to comment below.

Cheers,
Vish Prasad
Sr. Product Manager
Atlassian

FAQs

1. What are the changes since the launch of its Early Adoption Program (EAP)?
   See BYOK Encryption is coming soon to a Cloud instance near you.

   • 24/7 on-call service is now available.

   • BYOK-enabled Jira products are brought under the Atlassian Service Level Agreement.

   • The platform reliability and incident handling have also been improved.

   • Customers can check the provisioning status of their BYOK sites through admin.atlassian.com.

2. What data is managed with BYOK encryption?
   The following support page lists the product data types that are currently supported, as well as the product data types that aren’t supported with Jira Service Management.

3. Is there a plan to offer BYOK capability beyond the Cloud Enterprise plan?
   At this time BYOK encryption is only offered through the Cloud Enterprise and Cloud Enterprise trial plans due to the complexity of supporting this program. We are researching and exploring the possibilities of extending the offering in the future. You may watch this ticket for future updates:
   CLOUD-11064

4. Does Atlassian have login access to my AWS console that is used to manage keys?
   No. Atlassian does not have access to your AWS Console. Our BYOK functionality relies on cross-account Identity and Access Management (IAM) with only API-level access into certain Key Management Service (KMS) operations that are granted by your admin. Each and every access initiated by Atlassian is recorded in the CloudTrail that you have access to.
   It’s worth noting that with our current key model, the BYOK encryption will request new key creation when needed, in addition to performing encryption and decryption. This is to maintain the same least-privilege principle and data segregation security measures that are implemented in Atlassian systems.
   We are actively working on shielding our customers from this complexity.

5. Will non-AWS key stores be supported?
   Our product teams are investigating/exploring supporting customer-keys beyond AWS.