Encryption
Field-level encryption with searchable queries, powered by ZeroKMS
Encryption
CipherStash Encryption provides field-level encryption for your application data. Every value is encrypted with its own unique key via ZeroKMS, backed by AWS KMS — giving you strong data protection without sacrificing query capability.
What you get
- Field-level encryption — Each value encrypted with a unique key, not a shared table key.
- Searchable encryption — Run exact match, free-text search, and range queries on encrypted data in PostgreSQL.
- Encrypted JSONB — Query encrypted JSON fields using JSONPath selectors and containment operators.
- Bulk operations — Encrypt or decrypt thousands of values in a single ZeroKMS call.
- Identity-aware encryption — Tie encryption to a user's JWT so only that user can decrypt their data.
- Multi-tenant isolation — Use Key Sets from ZeroKMS to cryptographically isolate encryption keys per tenant, customer, or business unit.
- TypeScript-first — Strongly typed schemas, results, and model operations.
How it works
- Define a schema — Declare which columns to encrypt and what queries to support.
- Initialize a client — The SDK connects to ZeroKMS to manage encryption keys.
- Encrypt and store — Encrypt values before writing to your database.
- Query encrypted data — Encrypt query terms and run them against your encrypted columns.
- Decrypt on read — Decrypt values when reading from the database.
All key management — key generation, derivation, and isolation — is handled by ZeroKMS. Encryption keys are organized into Key Sets, the same primitive that powers Secrets environment isolation.
Integration paths
| Encryption SDK | CipherStash Proxy | |
|---|---|---|
| Best for | Teams who want fine-grained control over data encryption directly in their application | DevOps teams who want to add encryption to existing PostgreSQL apps with little to no code changes |
| Setup | npm install @cipherstash/stack, define schemas, integrate into app | Docker container, configure environment variables |
| Database | PostgreSQL (full searchable encryption) | PostgreSQL (transparent proxy) |
Performance
- Latency: < 5ms overhead for most operations (benchmarks)
- Throughput: Scales with your application performance
- Setup time: Running in local dev in < 1 hour, production in < 3 days