Audit features
Statement fingerprinting, SQL redaction, primary key injection, and record reconciliation in CipherStash Proxy
Audit features
CipherStash Proxy provides comprehensive data access auditing for PostgreSQL. These features work transparently — no changes to your SQL or application code are required.
Statement fingerprinting
Statement fingerprints identify unique SQL statements by examining the raw parse tree using pg_query. Fingerprints ignore query differences when they result in the same query intent. They are unique across environments and time, providing a useful mechanism for identifying query patterns.
Example
| SQL | Fingerprint |
|---|---|
SELECT a, b FROM c | fb1f305bea85c2f6 |
SELECT b, a FROM c | fb1f305bea85c2f6 |
Both queries produce the same fingerprint because they access the same columns from the same table — the column order doesn't affect the intent.
Statement redaction
The statement SQL is redacted before being included in an event payload. All static values in the SQL string are stripped. Table names, column names, and function names are retained.
If parsing fails or another issue prevents redaction, the statement will not be transmitted.
Most PostgreSQL libraries and frameworks default to using parameterized statements and the PostgreSQL Extended Protocol, in which case values will not be included in the SQL.
Example
| Statement SQL | Redacted SQL |
|---|---|
SELECT a, b FROM c | SELECT a, b FROM c |
SELECT a, b FROM c WHERE id = '1' | SELECT a, b FROM c WHERE id = {REDACTED} |
Primary key injection
Primary key injection connects SQL statements to record identifiers. It transparently ensures that any data access event includes the actual record identifiers. No need to instrument or change your SQL.
CipherStash Proxy uses the database schema to identify SQL statements that do not reference a primary key. It injects the missing primary keys into the SQL before execution. Primary keys of accessed records can then be tracked with the data access event.
The performance impact on the database is negligible as the primary key is by definition indexed, and the referenced tables are already present in the SQL statement.
When combined with identity-aware encryption, the events are also linked to client identity, providing an end-to-end view of data access.
Record reconciliation
Record reconciliation extracts the record identifiers, maps them to the appropriate tables, and includes them in the data access event payload sent to Audit.
Injected primary keys are always removed from the SQL results before being returned to the client. The process is internal to CipherStash Proxy — the format of the result set always matches the original query.
How it works together
These four features form a pipeline:
- Fingerprint — identify the query pattern
- Redact — strip sensitive values from the SQL statement
- Inject — add primary key references to track which records are accessed
- Reconcile — extract record identifiers and remove injected keys from results
The result is a complete data access event containing:
- What query was executed (fingerprint + redacted SQL)
- Which records were accessed (reconciled primary keys)
- Who executed it (when combined with identity-aware encryption)
- When it happened (timestamp)
All of this happens transparently within the proxy. Your application receives unmodified query results.