Use cases
Real-world use cases for CipherStash encryption, including data vault comparisons, data sovereignty, and identifying sensitive data
Use cases
CipherStash vs data vaults
Compare CipherStash's proof-based security architecture with traditional data vault solutions like Skyflow and VGS.
Security architecture
CipherStash: Proof-based security
Access is cryptographically provable. You do not need to fully trust CipherStash because we never see the data.
CipherStash is actually multiple separate components: a cloud-based key service (ZeroKMS) and encryption services (either Proxy or the Encryption SDK) that always run in your infrastructure. Neither plaintext nor data keys are ever visible to the cloud service. Even the encrypted values always remain within your systems.
CipherStash ZeroKMS employs an encryption key hierarchy to provide true zero-trust capabilities. For a given keyset, ZeroKMS manages an "authority key" which is not sufficient to generate data encryption keys. The client (Proxy or Encryption SDK) manages an independent client key. Data keys can only be generated by the client and so are never visible to ZeroKMS.
Skyflow and VGS: Trust-based security
There is no way to prove if data was accessed by an unauthorized user. You must trust that the vendor does the right thing.
In contrast, Skyflow and VGS both process and store plaintext data. There is no strict trust boundary between your systems and the data vault which means you must trust that the company's processes, practices and personnel are appropriate.
Searchable encryption
CipherStash encryption is searchable and supports simple lookups, range queries, ordering and even free-text search. Data does not need to be decrypted to operate on and can therefore remain encrypted in a broader range of systems. CipherStash searchable encryption is incredibly fast — even the slowest of the mechanisms used takes less than 1ms to filter records in a PostgreSQL table containing 120 million rows.
Skyflow supports only exact lookups. VGS does not support searchable encryption at all.
Protection beyond the vault
If any encrypted data unexpectedly leaves your PostgreSQL database it remains safe. This provides strong protection against accidental leaks as well as insider threats. Encrypted data can also be transferred between systems without ever needing to decrypt it.
A vault offers no or limited protection for data outside the vault. If original values are retrieved and stored then no protection is provided.
Example: Query customer records
Scenario: You have customer data including SSN, date of birth, email address and home address. You want to retrieve all records where the customer was born in 1990.
| Vendor | How DOB is stored | Query capability | Avoids N+1 | Performance |
|---|---|---|---|---|
| CipherStash | Encrypted per-value in your DB | Range queries via ORE | Yes | Efficient — runs in PostgreSQL |
| Skyflow | Plaintext in vault, token outside | Exact match only; range limited | No | Extra 50–200 ms per vault query |
| VGS | Plaintext in vault, alias outside | Equality only (no range queries) | No | Requires fetching all and filtering client-side |
Data sovereignty
CipherStash provides comprehensive solutions for data sovereignty requirements. The architecture gives you complete control over where your data and key material reside.
Zero-knowledge architecture
- Data keys are never transmitted across networks — keys are derived locally in your infrastructure
- Plaintext data never leaves your systems — encryption and decryption occur entirely within your environment
- Even encrypted values remain in your infrastructure — CipherStash Proxy and Encryption SDK run in your systems
- No single point of compromise — cryptographic proofs ensure unauthorized access is mathematically impossible
Cryptographic control
CipherStash uses a dual-party key split architecture:
- ZeroKMS manages an "authority key" (required but not sufficient)
- Your client (Proxy or Encryption SDK) manages an independent "client key"
- Data keys can only be generated when both components cooperate
- Data keys are never visible to ZeroKMS or transmitted over networks
Regional deployment
ZeroKMS is available in multiple regions globally, including Asia Pacific (Sydney), Europe (Frankfurt, Ireland), US East, and US West.
Compliance alignment
CipherStash's data sovereignty architecture supports compliance with GDPR, regional data protection laws, government regulations, and industry-specific requirements for healthcare, financial services, and other regulated sectors.
What data should I protect?
When improving your data security practices, it can be difficult to know what data is important enough to protect. Here are the common types of sensitive data you should encrypt.
Personally Identifiable Information (PII)
Any data that could identify a specific individual: names, phone numbers, dates of birth, addresses, emails, IP addresses, social security numbers, license numbers, passport numbers.
Applicable regulations: GDPR, CCPA, HIPAA, APP (Australia), PCI-DSS, SOC2, ISO27001
Protected Health Information (PHI)
Any information about health status, provision of health care, or payment for health care that can be linked to an individual: medical record numbers, health insurance beneficiary numbers, biometric identifiers, medical conditions, medication histories, payment histories.
Applicable regulations: HIPAA, CMIA, GDPR, APP
Financial Information
Data about money, accounts, and transactions: account numbers and balances, transaction data, TFNs/ITINs, saved payees.
Applicable regulations: GDPR, CCPA, PCI-DSS, CDR (Australia), SOC2, ISO27001
Authentication Information
Credentials used to gain access to accounts and services: usernames, passwords (plaintext and hashed), OAuth tokens, session cookies.
Applicable regulations: SOC2, ISO27001, PCI-DSS