Encryption

CipherStash Encryption provides field-level encryption for your application data. Every value is encrypted with its own unique key via ZeroKMS, backed by AWS KMS — giving you strong data protection without sacrificing query capability.

What you get

Field-level encryption — Each value encrypted with a unique key, not a shared table key.
Searchable encryption — Run exact match, free-text search, and range queries on encrypted data in PostgreSQL.
Encrypted JSONB — Query encrypted JSON fields using JSONPath selectors and containment operators.
Bulk operations — Encrypt or decrypt thousands of values in a single ZeroKMS call.
Identity-aware encryption — Tie encryption to a user's JWT so only that user can decrypt their data.
Multi-tenant isolation — Use Key Sets from ZeroKMS to cryptographically isolate encryption keys per tenant, customer, or business unit.
TypeScript-first — Strongly typed schemas, results, and model operations.

How it works

Define a schema — Declare which columns to encrypt and what queries to support.
Initialize a client — The SDK connects to ZeroKMS to manage encryption keys.
Encrypt and store — Encrypt values before writing to your database.
Query encrypted data — Encrypt query terms and run them against your encrypted columns.
Decrypt on read — Decrypt values when reading from the database.

All key management — key generation, derivation, and isolation — is handled by ZeroKMS. Encryption keys are organized into Key Sets, the same primitive that powers Secrets environment isolation.

Integration paths

	Encryption SDK	CipherStash Proxy
Best for	Teams who want fine-grained control over data encryption directly in their application	DevOps teams who want to add encryption to existing PostgreSQL apps with little to no code changes
Setup	`npm install @cipherstash/stack`, define schemas, integrate into app	Docker container, configure environment variables
Database	PostgreSQL (full searchable encryption)	PostgreSQL (transparent proxy)