CipherStash Docs

What is CipherStash?

CipherStash is field-level encryption you can query without decryption, with cryptographically verifiable audit trails and key management up to 14x faster than AWS KMS.

What is CipherStash?

CipherStash is field-level encryption you can query without decryption, with cryptographically verifiable audit trails and key management up to 14x faster than AWS KMS. It lets you build secure features in days, not months.

Why it matters

The problem: Organizations shouldn't have to choose between protecting their data or using it to drive growth. Traditional security tools are complex, slow down development, and create trade-offs between security and usability.

The solution: CipherStash sees a better way to continuously secure data and unlock its value through developer-friendly tools for fine-grained, provable access control.

How it works

CipherStash implements a zero-knowledge architecture where the platform and vendors never see data keys. The system uses unique data keys per value for precise, per-item encryption and access control, with lock contexts that enforce attribute-based access control using cryptographic proofs.

Core components

CipherStash ZeroKMS: Fine-grained, identity-based control over data access, backed by real-time audit logs and scalable performance.

Integration options:

Key capabilities

  • Searchable encryption: Run queries directly on encrypted data, enabling analysis and use of sensitive information without exposure
  • Granular, identity-bound access controls: Ensure only authorized individuals can access data — eliminating shared credentials and improving security posture
  • Real-time auditability: Log every data access with full context, helping meet SOC2, HIPAA, and GDPR standards while building customer trust
  • Instant access revocation: Revoke data access immediately without waiting on vendors — full control over data relationships and supply chains
  • Flexible key management: Support hybrid, cloud, and mobile deployments beyond traditional hardware security modules

Threat model

CipherStash addresses several key security threats:

Data breach protection: Even if database credentials are compromised, encrypted data remains protected through zero-knowledge architecture.

Insider threats: Granular access controls prevent unauthorized access by internal users, with full audit trails for compliance.

Supply chain attacks: Instant access revocation capabilities allow immediate response to compromised third-party vendors.

Compliance gaps: Real-time auditability ensures continuous compliance with SOC2, HIPAA, and GDPR requirements.

Performance trade-offs: Minimal latency impact (< 5ms overhead) while maintaining 14x faster performance than AWS KMS for cryptographic operations.

Comparisons

vs. Traditional KMS: CipherStash eliminates centralized key storage vulnerabilities while providing 14x better performance for high-throughput environments.

vs. Point-in-Time Compliance: Unlike SOC2 audits that reflect security at a moment, CipherStash provides continuous assurance and real-time auditability.

vs. Database-Level Encryption: CipherStash offers application-layer encryption with searchable capabilities, unlike transparent database encryption that limits query functionality.

vs. Homomorphic Encryption: CipherStash provides practical searchable encryption with minimal performance overhead, suitable for production applications.

Product interaction

  • CipherStash ZeroKMS serves as the foundation, providing fine-grained, identity-based control over data access with real-time audit logs.
  • CipherStash Encryption SDK enables direct integration for fast-moving engineering teams, with most teams up and running in days, not months.
  • CipherStash Proxy offers drop-in SQL proxy functionality for PostgreSQL, requiring zero code changes and available through AWS Marketplace.

Commercial impact

By implementing CipherStash, organizations can:

  • Expand into regulated markets: Securely support financial transactions or healthcare records, opening doors to compliance-sensitive customers
  • Build customer trust: Provide enterprise clients with verifiable control over their data through granular access controls and audit logs
  • Accelerate sales cycles: Meet enterprise compliance requirements without months of security reviews
  • Reduce compliance costs: Automate audit processes and eliminate manual compliance reporting

Platform

Dashboard, workspaces, organization management, and core concepts

Security architecture

Cryptographic primitives, key hierarchy, trust model, and data flow in CipherStash

On this page

What is CipherStash?Why it mattersHow it worksCore componentsKey capabilitiesThreat modelComparisonsProduct interactionCommercial impact