Encryption
Field-level encryption with searchable queries, powered by ZeroKMS
Encryption
CipherStash Encryption provides field-level encryption for your application data. Every value is encrypted with its own unique key via ZeroKMS, backed by AWS KMS. This gives you strong data protection without sacrificing query capability.
What you get
- Field-level encryption: Each value encrypted with a unique key, not a shared table key.
- Searchable encryption: Run exact match, free-text search, and range queries on encrypted data in PostgreSQL.
- Encrypted JSONB: Query encrypted JSON fields using JSONPath selectors and containment operators.
- Bulk operations: Encrypt or decrypt thousands of values in a single ZeroKMS call.
- Identity-aware encryption: Tie encryption to a user's JWT so only that user can decrypt their data.
- Multi-tenant isolation: Use Key Sets from ZeroKMS to cryptographically isolate encryption keys per tenant, customer, or business unit.
- TypeScript-first: Strongly typed schemas, results, and model operations.
How it works
- Initialize your project: Run
npx @cipherstash/stack initto generate your encryption schema and client. - Set up your database: Run
npx stash-forge setupto set up searchable encryption in PostgreSQL. - Encrypt and store: Encrypt values before writing to your database.
- Query encrypted data: Encrypt query terms and run them against your encrypted columns.
- Decrypt on read: Decrypt values when reading from the database.
All key management (key generation, derivation, and isolation) is handled by ZeroKMS. Encryption keys are organized into Key Sets, the same primitive that powers Secrets environment isolation.
Integration paths
| Encryption SDK | CipherStash Proxy | |
|---|---|---|
| Best for | Teams who want fine-grained control over data encryption directly in their application | DevOps teams who want to add encryption to existing PostgreSQL apps with little to no code changes |
| Setup | npx @cipherstash/stack init | Docker container, configure environment variables |
| Database | PostgreSQL (full searchable encryption) | PostgreSQL (transparent proxy) |
Performance
- Latency: < 5ms overhead for most operations (benchmarks)
- Throughput: Scales with your application performance
- Setup time: Running in local dev in < 1 hour, production in < 3 days
CipherStash Forge
CipherStash Forge is the dev-time CLI for setting up your database. It handles installing the EQL extension, validating schemas, and managing the encryption lifecycle. Think of it like Drizzle Kit or Prisma CLI: a companion tool that sets up the database while @cipherstash/stack handles runtime encryption.
The init wizard lives in @cipherstash/stack. It generates your encryption schema, client file, and installs @cipherstash/stack-forge as a devDependency. Then run stash-forge setup to configure your database.
npx @cipherstash/stack init # Interactive project setup
npx stash-forge setup # Interactive database and EQL setup
npx stash-forge validate # Check schema for misconfigurations
npx stash-forge status # Show EQL installation stateGet started with Forge
Install EQL, validate schemas, and manage your database setup.
Interactive setup
Set up Forge in your project with the interactive init wizard.
Next steps
Getting started
Go from zero to encrypted in under 5 minutes with the interactive setup wizard.
Schema definition
Define which columns to encrypt and what queries to support.
Searchable encryption
Run queries on encrypted data in PostgreSQL.
CipherStash Proxy
Transparent encryption proxy. No code changes required.