Getting started with Node.js, Sequelize, and CipherStash

This guide will step you through adding CipherStash to your Node.js-based JavaScript application using Sequelize.

By the end of this guide, you will have:

  • Encrypted sensitive data inside your existing database
  • Queried that encrypted data

The steps you’ll go through are:

  1. Define which database columns should be encrypted
  2. Encrypt the sensitive data
  3. Query the newly encrypted data

Before you start

You’ll need to install some tools:

  1. The CipherStash CLI
  2. The CipherStash database driver

This tutorial takes you through adding CipherStash to an existing JavaScript application using PostgreSQL and Sequelize.

Start by cloning the repo and installing dependencies:

git clone
cd cipherstash-sequelize-demo-app
npm install

Create the database, run migrations, and seed the database with dummy patient data:

npx sequelize-cli db:create
npx sequelize-cli db:migrate
npx sequelize-cli db:seed:all

Install the CipherStash CLI

The CipherStash CLI is used to manage your encryption schema.

The encryption schema defines what encrypted indexes exist, and what queries you can perform on those indexes.

On macOS

Install via Homebrew:

brew install cipherstash/tap/stash

If macOS asks you whether you are sure you want to open “stash”, please select “Open”.

On Linux

Download the binary for your platform:

  1. Make the binary executable:
    # on x86_64
    chmod +x $path_to/stash-x86_64-unknown-linux-gnu
    # on ARM64
    chmod +x $path_to/stash-aarch64-unknown-linux-gnu
  2. Rename the binary:
    # on x86_64
    mv stash-x86_64-unknown-linux-gnu stash
    # on ARM64
    mv stash-aarch64-unknown-linux-gnu stash
  3. Place the binary on your $PATH, so you can run it.

Sign up

You can start your signup from the CLI:

stash signup

Your browser will open to where you can sign up with either your GitHub account, or a standalone email.

CipherStash signup confirmation page

Install the CipherStash database driver

The CipherStash database driver transparently maps SQL statements to encrypted database columns.

It is installed by overriding the pg-native package with the drop in replacement @cipherstash/pg-native.

Under the hood @cipherstash/pg-native uses the package @cipherstash/libpq which contains the CipherStash PostgreSQL driver.

To install them both, first install @cipherstash/libpq:

npm add @cipherstash/libpq

And then @cipherstash/pg-native using an npm alias:

npm add pg-native@npm:@cipherstash/pg-native