Encryption

CipherStash Encryption provides field-level encryption for your application data. Every value is encrypted with its own unique key via ZeroKMS, backed by AWS KMS. This gives you strong data protection without sacrificing query capability.

What you get

Field-level encryption: Each value encrypted with a unique key, not a shared table key.
Searchable encryption: Run exact match, free-text search, and range queries on encrypted data in PostgreSQL.
Encrypted JSONB: Query encrypted JSON fields using JSONPath selectors and containment operators.
Bulk operations: Encrypt or decrypt thousands of values in a single ZeroKMS call.
Identity-aware encryption: Tie encryption to a user's JWT so only that user can decrypt their data.
Multi-tenant isolation: Use Key Sets from ZeroKMS to cryptographically isolate encryption keys per tenant, customer, or business unit.
TypeScript-first: Strongly typed schemas, results, and model operations.

How it works

Define a schema: Declare which columns to encrypt and what queries to support.
Initialize a client: The SDK connects to ZeroKMS to manage encryption keys.
Encrypt and store: Encrypt values before writing to your database.
Query encrypted data: Encrypt query terms and run them against your encrypted columns.
Decrypt on read: Decrypt values when reading from the database.

All key management (key generation, derivation, and isolation) is handled by ZeroKMS. Encryption keys are organized into Key Sets, the same primitive that powers Secrets environment isolation.

Integration paths

	Encryption SDK	CipherStash Proxy
Best for	Teams who want fine-grained control over data encryption directly in their application	DevOps teams who want to add encryption to existing PostgreSQL apps with little to no code changes
Setup	`npm install @cipherstash/stack`, define schemas, integrate into app	Docker container, configure environment variables
Database	PostgreSQL (full searchable encryption)	PostgreSQL (transparent proxy)