Encryption
Field-level encryption with searchable queries, powered by ZeroKMS
Encryption
CipherStash Encryption provides field-level encryption for your application data. Every value is encrypted with its own unique key via ZeroKMS, backed by AWS KMS. This gives you strong data protection without sacrificing query capability.
What you get
- Field-level encryption: Each value encrypted with a unique key, not a shared table key.
- Searchable encryption: Run exact match, free-text search, and range queries on encrypted data in PostgreSQL.
- Encrypted JSONB: Query encrypted JSON fields using JSONPath selectors and containment operators.
- Bulk operations: Encrypt or decrypt thousands of values in a single ZeroKMS call.
- Identity-aware encryption: Tie encryption to a user's JWT so only that user can decrypt their data.
- Multi-tenant isolation: Use Key Sets from ZeroKMS to cryptographically isolate encryption keys per tenant, customer, or business unit.
- TypeScript-first: Strongly typed schemas, results, and model operations.
How it works
- Initialize your project: Run
npx @cipherstash/cli initto generate your encryption schema and client. - Set up your database: Run
npx @cipherstash/cli db setupto set up searchable encryption in PostgreSQL. - Encrypt and store: Encrypt values before writing to your database.
- Query encrypted data: Encrypt query terms and run them against your encrypted columns.
- Decrypt on read: Decrypt values when reading from the database.
All key management (key generation, derivation, and isolation) is handled by ZeroKMS. Encryption keys are organized into Key Sets, the same primitive that powers Secrets environment isolation.
Integration paths
| Encryption SDK | CipherStash Proxy | |
|---|---|---|
| Best for | Teams who want fine-grained control over data encryption directly in their application | DevOps teams who want to add encryption to existing PostgreSQL apps with little to no code changes |
| Setup | npx @cipherstash/cli init | Docker container, configure environment variables |
| Database | PostgreSQL (full searchable encryption) | PostgreSQL (transparent proxy) |
Performance
- Latency: < 5ms overhead for most operations (benchmarks)
- Throughput: Scales with your application performance
- Setup time: Running in local dev in < 1 hour, production in < 3 days
CipherStash Forge
CipherStash Forge is the dev-time CLI for setting up your database. It handles installing the EQL extension, validating schemas, and managing the encryption lifecycle. Think of it like Drizzle Kit or Prisma CLI: a companion tool that sets up the database while @cipherstash/stack handles runtime encryption.
The init wizard lives in @cipherstash/cli. It generates your encryption schema, client file, and installs @cipherstash/cli as a devDependency. Then run npx @cipherstash/cli db setup to configure your database.
npx @cipherstash/cli init # Interactive project setup
npx @cipherstash/cli db setup # Interactive database and EQL setup
npx @cipherstash/cli db validate # Check schema for misconfigurations
npx @cipherstash/cli db status # Show EQL installation state
npx @cipherstash/cli wizard # AI-powered encryption setupGet started with Forge
Install EQL, validate schemas, and manage your database setup.
Interactive setup
Set up Forge in your project with the interactive init wizard.
Next steps
Getting started
Go from zero to encrypted in under 5 minutes with the interactive setup wizard.
Schema definition
Define which columns to encrypt and what queries to support.
Searchable encryption
Run queries on encrypted data in PostgreSQL.
CipherStash Proxy
Transparent encryption proxy. No code changes required.