Resources
CipherStash glossary
Attribute-Based Access Control (ABAC) is a dynamic security model that makes access decisions based on a variety of attributes, including user characteristics, resource details, and environmental factors. Unlike Role Based Access Control (RBAC), which relies solely on a user's assigned role, ABAC offers more granular and context-aware policies that adapt to changing conditions and diverse scenarios. This flexibility makes ABAC particularly suitable for complex and evolving environments where static roles may not capture all necessary security nuances.
A persistent authentication credential used for communication with ZeroKMS.
Activities to administer your CipherStash account, like billing, adding, and removing users.
An encrypted version of plaintext, produced by applying an encryption algorithm (a cipher). It is unreadable without a cipher to decrypt it.
See also: Plaintext
The command line tool for interacting with CipherStash services.
A database proxy that sits between an application and a database, enhancing your existing database with encryption in use. CipherStash Proxy works in-tandem with your existing infrastructure and is fully contained within your environment.
See our intro to CipherStash Proxy for details.
A programmatic access point to a keyset. A client can have many keysets, and a keyset can also be shared by multiple clients. To access a keyset, you need a client key and a client ID.
A unique identifier of a client. Each client key and client ID is unique to your app. In development, each dev can have their own client key and ID; in production, the client key and ID are used to uniquely identify your app.
A unique identifier of a client. Each client key and client ID is unique to your app. The client key is sensitive and should be kept secret. In development, each dev can have their own client key and ID; in production, the client key and ID are used to uniquely identify your app.
A table with configured columns and any queries that need to be mapped, parameters that require encryption and results that require decryption.
The CipherStash Token Service (CTS) manages the trust relationships between a workspace and third-party or customer identity providers. It brokers secure access to CipherStash services like ZeroKMS, ensuring that only authenticated and authorized users gain entry. By centralizing token management, CTS simplifies the integration of diverse identity sources while maintaining robust security across the platform.
The web interface for configuring and using CipherStash Proxy.
Available at dashboard.cipherstash.com.
An event triggered by execution of SQL statments by CipherStash Proxy. Includes metadata of statements executed and records accessed.
An append-only log of data access events produced by the CipherStash Proxy and consumed by Audit.
The target database.
Our open-source library for PostgreSQL users. It simplifies the process of encrypting and querying sensitive data, giving you powerful tools to encrypt data transparently at the field level, query encrypted data directly using familiar SQL commands, and leverage encrypted indexes for secure and efficient searches.
A third party identity provider, like Auth0, Okta, or Ping.
JSON Web Tokens (JWT) are a compact, URL-safe means of representing claims between two parties as a JSON object, typically used for authentication and authorization. They are digitally signed to ensure the integrity and authenticity of the information, allowing systems to verify user identity without maintaining server-side sessions.
A keyset is used to generate data encryption keys, and is managed by ZeroKMS. It includes configuration for encrypted columns and queryable indexes. Use keysets to group data for a specific purpose or project. A client can have many keysets, and a keyset can also be shared by multiple clients.
A statement that has been transformed during encryption.
OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 protocol that enables clients to verify user identity through an Identity Provider. It facilitates secure single sign-on (SSO) and simplifies the authentication process by allowing the Identity Provider to share standardized identity information using RESTful APIs and JSON Web Tokens (JWTs), making it a popular choice for modern web and mobile applications.
A searchable encryption technique allowing for search, comparison, and sorting of encrypted data without decryption.
Unencrypted information, readable by humans and computers.
Role Based Access Control (RBAC) is a security model that assigns access permissions based on a user's role within an organization, streamlining the management of access rights by grouping permissions into predefined roles. Unlike Attribute Based Access Control (ABAC), which evaluates policies based on a range of attributes such as user characteristics, resource properties, and environmental conditions, RBAC relies solely on roles to determine access, making it simpler to administer while potentially less flexible in dynamic environments.
An encrypted data structure for finding records in encrypted columns. Essential for querying encrypted data, as it replaces the need for full table scans, improving performance. Note: This is a core feature of CipherStash, supporting range, exact, and match queries.
The act of creating a CipherStash account. You can do so here.
A transformed or parsed SQL statement.
The log of an SQL statement. For SQL statements, records:
- The statement executed (e.g.
SELECT,INSERTetc) - The data returned or modified by the statement
An SQL statement. For example:
1SELECT name, email FROM users;CipherStash uses workspaces to keep things organized. A workspace contains keyset, clients, and configuration, and can:
- Be used to separate environments (e.g. dev and prod)
- Shared with other users
- Be associated with a custom identity provider
CipherStash's specialised key management service. ZeroKMS provides high performance batch encryption and decryption, enabling a unique encryption key per field. See our intro to Zero trust key management for details.