> Latest Article: TypeScript and excellent developer experience (part 1)

End-to-end, searchable encrypted data-store

A secure searchable-encrypted data-store that's fast, based on industry standard cryptography and that developers love to use.

Book Demo

Full query support with maximum security

A dev-friendly client API provides the flexibility you're used to but reveals virtually no information to the server.

What you see
Two terminals showing a person typing one a search query 'customers.where((q) => ({ name: q.match('ace') }))' which then executes with a loading animation. The other terminal shows 'tail -f debug.log' and upon receiving the query shows an encrypted cipher text and after one second replies with another encrypted cipher text and shows up on the first terminal as clear and readable text
What CipherStash sees
Two terminals showing a person typing one a search query 'customers.where((q) => ({ name: q.match('ace') }))' which then executes with a loading animation. The other terminal shows 'tail -f debug.log' and upon receiving the query shows an encrypted cipher text and after one second replies with another encrypted cipher text and shows up on the first terminal as clear and readable text

Where you store data matters

Whether it's in a traditional SQL database, a NoSQL store or search index, where and how you store sensitive data is paramount to keeping it secure. If data security is important to you then you probably already use encryption...

...but it might not be as secure as you think!

A diagram showing an encrypted data storage that is connected to an unencrypted database. The query "name.match(ace)" is executed and it is noted that the database is unencrypted and therefore readable by admins or attackers.File StorageData fully encrypted on diskEncryptedDecryptedname.match("ja")IDNameEmail123Jane Smith[email protected]Data readableby admins or attackersClientname.match("ja")Full query supportUnencrypted request
A diagram showing an encrypted data storage that is connected to an encrypted database. The query "doc.id = 123" is executed and it is noted that while the database is now encrypted there is no more complex query support.File StorageData fully encrypted on diskEncryptedDecrypteddoc.id = 123IDNameEmail123XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXEncrypted rowsClientdoc.id = 123No query supportUnencrypted request
A diagram showing an encrypted data storage that is connected to an encrypted database. A query is executed but we can't see it because it is encrypted as well as the database. It is noted that now both database and query are fully encrypted with full query support.File StorageData fully encrypted on diskEncryptedDecryptedXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXDatabase encryptedClientname.match("ja")Full query supportEncrypted request

The Problem

Transparent Data Encryption

Transparent Data Encryption (TDE) is a common approach that encrypts the underlying filesystem of your database. Clients can access data as normal but TDE offers only limited protection because in a running database, everything is decrypted.

Database records encrypted directly

One alternative is to encrypt every column and row in your database. While this offers good levels of security the ability to perform useful queries either disappears entirely or comes with major trade-offs. Records can only be retrieved by an unencrypted (or deterministic) primary key.

The Solution

CipherStash

CipherStash uses a searchable encryption scheme that means data is always encrypted (including field names) but remains searchable by clients with the appropriate key. Even the queries themselves are encrypted! This gives your sensitive data very high-levels of protection without compromising on usability.

A new kind of data storage platform

When your code interacts with the CipherStash Data Platform, every query, insert and update is encrypted before it is sent across the network - and it is done so with keys that you control. This means that sensitive data is always protected but you can still search it using the kinds of queries you're familiar with.

Built from the start for security

CipherStash was designed from the start to meet very high-levels of security and compliance. Instead of building on top of existing relational-databases or search indexes (which have major security drawbacks, even when encrypted), CipherStash uses a fast, memory-mapped B-tree and an Order-Revealing Encryption scheme based on research from Stanford University.

Based on Industry Standard Cryptography

CipherStash is based on existing primitives like AES and SHA-256. It's actually kinda boring! But that means there is less to go wrong.

Read: Order Revealing Encryption

Snapshot Secure

CipherStash is resistant to "snapshot attacks" where an attacker can get a copy of your entire database system - including files, logs and a copy of all running memory.

AWS: Your account or ours?

CipherStash runs in AWS and allows you to host parts of the infrastructure in your own account.

Next generation authentication

Say goodbye to credentials in connection strings! Connect to CipherStash using flexible, secure auth schemes that don't require you to reinvent the wheel.

A diagram showing four boxes with the label Application, Authenticate Identity Provider, Encrypt/Decrypt and Data Service. The Application box is highlighted.Data ServiceAuthenticateIdentity ProviderEncrypt/DecryptApplicationTokenTokenData/Queryaf3d11ba1a1c
A diagram showing four boxes with the label Application, Authenticate Identity Provider, Encrypt/Decrypt and Data Service. It shows a highlighted arrow from the Application box to the Authenticate Identity Provider box which is highlighted.Data ServiceAuthenticateIdentity ProviderEncrypt/DecryptApplicationTokenTokenData/Queryaf3d11ba1a1c
A diagram showing four boxes with the label Application, Authenticate Identity Provider, Encrypt/Decrypt and Data Service. It shows an arrow back from the Authenticate Identity Provider box to the Application box labeled "Token" and an arrow from the Application box to the Encrypt/Decrypt which is highlighted. The arrow is labeled "Token".Data ServiceAuthenticateIdentity ProviderEncrypt/DecryptApplicationTokenTokenData/Queryaf3d11ba1a1c
A diagram showing four boxes with the label Application, Authenticate Identity Provider, Encrypt/Decrypt and Data Service. It shows two arrows from the Encrypt/Decrypt box to the Data Service box and back. The arrows are labeled with random tokens "af3d11" and "ba1a1c"Data ServiceAuthenticateIdentity ProviderEncrypt/DecryptApplicationTokenTokenData/Queryaf3d11ba1a1c

Your Application

Any NodeJS application can use CipherStash. Other languages and frameworks coming soon.

Authenticate

Your app authenticates to a supported Identity Provider. You can use your existing IdP or the one hosted by CipherStash. Both user and machine-to-machine flows are supported.

Supported Providers

More integrations coming soon

Encryption Service

Both documents and queries are encrypted (and decrypted) using the encryption service. We can fully manage for you (still with keys that you control) or you can manage the whole thing yourself (coming soon).

id: abc11c33Encrypted DocumentEnc(name)Enc(dob)Enc(email)Encrypted Indexes

Data Service

Documents are stored in the end-to-end, searchable encrypted data store which can then be queried with fully encrypted queries.

The Data Service is fully managed in the CipherStash cloud but never sees any data in the clear.

Text search over encrypted data

Partial or Exact Matches

CipherStash allows you to perform text searches over your data set with close to the performance of traditional data stores. Both the queries and the replies are encrypted end-to-end.

// Partial string match
users.where((q) => {
	return { name: q.match("dan") }
})

// Exact ("keyword") match
users.where({email: "[email protected]"})

Range queries over encrypted data

Range Queries

Fetch all records that match a range condition such as integers greater than x or records before a timestamp.

// All records after start date
let startDate = new Date(2020, 10, 1)
logs.where((q) => {
	return { timestamp: q.after(startDate) }
})

// All balances over 1000
wallets.where((q) => {
	return { balance: a.gte(1000) }
})

Combinations!

Combine query types

Combine constraints on multiple fields or compose queries for great flexibility.

// All records after start date
let startDate = new Date(2020, 10, 1)
logs.where((q) => {
	return {
		timestamp: q.after(startDate),
		url: q.match("website.com")
	}
})