CipherStash Docs

KMS

Key management with ZeroKMS, backed by AWS KMS

ZeroKMS

ZeroKMS is the key management service that powers both CipherStash Encryption and CipherStash Secrets. Every encrypted value gets its own unique key, derived via ZeroKMS and backed by AWS KMS — so you get strong key isolation without managing keys yourself.

Zero Trust Key Management

Zero Trust is a fundamental principle of secure-by-default design. However, applying Zero Trust to key management is unexpectedly difficult. Existing solutions reveal either data or keys to intermediaries which forces higher trust requirements for vendors and service providers.

CipherStash's ZeroKMS uses Zero Trust Key Management (ZTKM): key management for the connected digital landscape.

How it works

  • Unique key per value — Each encrypted field uses a distinct data encryption key, not a shared table-level key.
  • AWS KMS backed — Root keys are stored in AWS KMS. ZeroKMS handles key derivation and wrapping.
  • Zero-knowledge — CipherStash never sees your plaintext data or unwrapped keys. When a data key is requested, ZeroKMS generates and returns key seeds to the client to create the data key locally. Data keys are never seen by third parties and are never sent across the network.
  • Multi-tenant isolation — Use keysets to isolate encryption keys per tenant, customer, or business unit.
  • Bulk operations — ZeroKMS does bulk encryption and decryption operations, enabling a unique data key per record without sacrificing performance.
  • Multi-region — ZeroKMS is highly available and deployed in multiple cloud regions globally. It can also be deployed within your own cloud account or on-prem.

What Key Sets power

Key Sets are ZeroKMS's core primitive for cryptographic isolation. Every product in the CipherStash stack builds on them:

  • Encryption — multi-tenant isolation. Each tenant, customer, or business unit gets its own Key Set. Data encrypted under one Key Set cannot be decrypted with another, giving you per-tenant cryptographic boundaries with zero key management overhead. See Encryption configuration for setup details.

  • Secrets — environment isolation. Each Secrets environment (production, staging, development) maps to its own Key Set. This means a secret encrypted in staging can never be decrypted with production keys, and vice versa. See Secrets concepts for more detail.

Key Sets are a general-purpose primitive — you can use them to create any cryptographic boundary your application needs, whether that's per-tenant, per-environment, per-region, or any other isolation requirement.

Read the whitepaper

If you'd like to learn more about ZeroKMS, read the whitepaper on the Trust Center.

Next steps

Keysets

The foundational primitive for cryptographic isolation across Encryption and Secrets.

Configuration

Configure ZeroKMS credentials and options.

Disaster recovery

Key recovery, zero data loss, and outage behavior.

Configuration

Configure ZeroKMS credentials and options

On this page

ZeroKMSZero Trust Key ManagementHow it worksWhat Key Sets powerRead the whitepaperNext steps