CipherStash Documentation

Frequently Asked Questions


Where does CipherStash QX run?

CipherStash QX, where your encrypted data is stored and queried, runs in a fully-managed environment close to your app. The CipherStash QX client, where all encryption and decryption takes place, runs in your application, meaning that your data is always under your control. CipherStash QX (and our infrastructure in AWS) never sees any of your data in the clear.

Can it work with NoSQL databases?

CipherStash QX works with both NoSQL and SQL databases.

CipherStash QX integrates at the application layer, and doesn’t rely on any database features for queryable encryption.

What’s the protocol for talking to CipherStash QX?

CipherStash QX clients communicate with CipherStash QX using gRPC. gRPC itself is built on HTTP/2.

These details are abstracted away by our framework integrations (such as ActiveStash) and lower-level language clients (such as StashRB) that the framework integrations are built on.

For more information on why we chose gRPC, see our blog post on the topic.

Why doesn’t CipherStash QX use the standard AWS environment variables (like AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)?

We do this precisely because we don’t want to conflict with the standard AWS environment variables.

For example, consider an application that uses resources in AWS (say, it stores uploads in S3).

As a way of segmenting and limiting access permissions, you would supply two sets of credentials to the application — one for accessing KMS, the other for accessing S3.

If CipherStash QX uses the standard AWS environment variables for KMS access, that application can’t also use the standard environment variables for S3 access.


What sort of aggregations are possible?

CipherStash QX is capable of returning a count of records that match a query.

Additional aggregations such as min, max, mean, and sum are also planned for future support.

Does CipherStash QX support fuzzy matching? Is that configurable?

CipherStash QX supports fuzzy matching of strings through the match, dynamic-match and field-dynamic-match index types.

These index types give you control over what text is indexed, and how the text is tokenized and transformed before being indexed.

What is the default ordering for query results?

By default query results do not have a stable sorting order. However, you can sort results on any field that has a range index.

See the library-specific docs for details on sorting query results:


Is CipherStash QX’s encryption open source?

Yes. We believe that encryption should be open source and developed transparently. Scrutiny breeds trust.

All CipherStash QX client code, including our cryptographic code, can be found on GitHub: