CipherStashDocs

KMS

Key management with ZeroKMS, backed by AWS KMS

ZeroKMS

ZeroKMS is the key management service that powers both CipherStash Encryption and CipherStash Secrets. Every encrypted value gets its own unique key, derived via ZeroKMS and backed by AWS KMS. You get strong key isolation without managing keys yourself.

Zero Trust Key Management

Zero Trust is a fundamental principle of secure-by-default design. However, applying Zero Trust to key management is unexpectedly difficult. Existing solutions reveal either data or keys to intermediaries which forces higher trust requirements for vendors and service providers.

CipherStash's ZeroKMS uses Zero Trust Key Management (ZTKM): key management for the connected digital landscape.

How it works

  • Unique key per value: Each encrypted field uses a distinct data encryption key, not a shared table-level key.
  • AWS KMS backed: Root keys are stored in AWS KMS. ZeroKMS handles key derivation and wrapping.
  • Zero-knowledge: CipherStash never sees your plaintext data or unwrapped keys. When a data key is requested, ZeroKMS generates and returns key seeds to the client to create the data key locally. Data keys are never seen by third parties and are never sent across the network.
  • Multi-tenant isolation: Use keysets to isolate encryption keys per tenant, customer, or business unit.
  • Bulk operations: ZeroKMS supports bulk encryption and decryption operations, enabling a unique data key per record without sacrificing performance.
  • Multi-region: ZeroKMS is highly available and deployed in multiple cloud regions globally. It can also be deployed within your own cloud account or on-prem.

Key Sets

Key Sets are ZeroKMS's core primitive for cryptographic isolation. A keyset is an independent cryptographic boundary — data encrypted under one keyset cannot be decrypted with another.

Keysets are managed in the CipherStash Dashboard as a cloud primitive. How you use them is up to your architecture:

  • Tenant isolation — one keyset per customer or business unit, giving per-tenant cryptographic boundaries with zero key management overhead. See Encryption configuration.
  • Environment isolation — separate keysets for production, staging, and development. The Secrets SDK maps its environment parameter to a keyset automatically. See Secrets concepts.
  • Regional or compliance boundaries — isolate data by jurisdiction or regulatory requirement.
  • Any boundary your application needs — keysets are general-purpose. Combine them however your architecture requires.

Read the whitepaper

If you'd like to learn more about ZeroKMS, read the whitepaper on the Trust Center.

Next steps

Keysets

The foundational primitive for cryptographic isolation across Encryption and Secrets.

Configuration

Configure ZeroKMS credentials and options.

Disaster recovery

Key recovery, zero data loss, and outage behavior.

Configuration

Configure ZeroKMS credentials and options

On this page

ZeroKMSZero Trust Key ManagementHow it worksKey SetsRead the whitepaperNext steps