CipherStash Proxy
Transparent, searchable encryption for your existing PostgreSQL database
CipherStash Proxy
CipherStash Proxy provides transparent, searchable encryption for your existing PostgreSQL database.
Features
- Automatic encryption and decryption with zero changes to SQL — configure encryption for specific tables and columns
- Queries over encrypted values: equality, comparison, ordering, grouping
- Built-in Prometheus support for monitoring
- Written in Rust for high performance and strongly-typed mapping of SQL statements
- Uses ZeroKMS, offering up to 14x the performance of AWS KMS
- Runs in a container or as a standalone CLI tool
CipherStash Proxy uses the Encrypt Query Language (EQL) to index and search encrypted data.
When to use Proxy vs SDK
| CipherStash Proxy | Encryption SDK | |
|---|---|---|
| Best for | DevOps teams adding encryption to existing PostgreSQL apps | Engineering teams building new applications |
| Code changes | Zero — drop-in replacement for your database connection | Application-level integration with schema definitions |
| Setup | Docker container, configure env vars | npm install, define schemas, integrate into app |
| Control | Automatic, table/column configuration | Fine-grained, per-field control |
Next steps
Getting started
Get up and running in local dev in under 5 minutes.
Configuration
Docker setup, environment variables, and EQL installation.
Multitenant operation
Keyset scoping for cryptographic tenant isolation.
Searchable JSON
JSONB functions and operators for encrypted data.
Encrypt tool
CLI tool to encrypt existing data in your database.
Deploy to AWS ECS
Step-by-step guide for deploying Proxy to AWS ECS.
Audit features
Statement fingerprinting, redaction, and record reconciliation.
Reference
All config options, CLI flags, Prometheus metrics, and more.
Errors
Complete error reference with troubleshooting steps.
Troubleshooting
ZeroKMS debugging, slow statement logging, and performance.