- Encryption: Field-level encryption for TypeScript apps with searchable encrypted queries, zero-knowledge key management, and first-class ORM support.
- Secrets: Zero-trust secrets management with end-to-end encryption. Plaintext never leaves your application.
Encryption
import { Encryption, defineContract, encrypted } from "@cipherstash/stack"
// 1. Define your contract
const contract = defineContract({
users: {
email: encrypted({ type: "string", equality: true, freeTextSearch: true }),
},
})
// 2. Initialize the client
const client = await Encryption({ contract })
// 3. Encrypt
const { data: ciphertext } = await client.encrypt("secret@example.com", {
contract: contract.users.email,
})
// 4. Decrypt
const { data: plaintext } = await client.decrypt(ciphertext)
// => "secret@example.com"Secrets
import { Secrets } from "@cipherstash/stack";
// 1. Initialize the secrets client
const secrets = new Secrets({ environment: "production" });
// 2. Set a secret with the SDK or the CLI
await secrets.set("DATABASE_URL", "postgres://user:pass@host:5432/db");
// 3. Consume the secret in your application
const { data } = await secrets.get("DATABASE_URL");npm install @cipherstash/stack
# or
yarn add @cipherstash/stack
# or
pnpm add @cipherstash/stack
# or
bun add @cipherstash/stackImportant
You need to opt out of bundling when using @cipherstash/stack.
It uses Node.js specific features and requires the native Node.js require.
Read more about bundling in the documentation.
- Searchable encryption: query encrypted data with equality, free text search, range, and JSONB queries.
- Type-safe contracts: define encrypted tables and columns declaratively with
defineContract - Model & bulk operations: encrypt and decrypt entire objects or batches with
encryptModel/bulkEncryptModels. - Identity-aware encryption: bind encryption to user identity with lock contexts for policy-based access control.
- Secrets management: store and retrieve encrypted secrets via the Secrets SDK and CLI.
- Trusted data access: ensure only your end-users can access their sensitive data using identity-bound encryption
- Sensitive config management: store API keys and database credentials with zero-trust encryption and full audit trails
- Reduce breach impact: limit the blast radius of exploited vulnerabilities to only the data the affected user can decrypt
Contributions are welcome and highly appreciated. However, before you jump right into it, we would like you to review our Contribution Guidelines to make sure you have a smooth experience contributing.
If you believe you have found a security vulnerability, we encourage you to responsibly disclose this and NOT open a public issue.
Please email security@cipherstash.com with details about the vulnerability. We will review your report and provide further instructions for submitting your report.
This project is MIT licensed.