CipherStash glossary

Access key

A persistent authentication credential used for communication with ZeroKMS.

Account management

Activities to administer your CipherStash account, like billing, adding, and removing users.

Ciphertext

An encrypted version of plaintext, produced by applying an encryption algorithm (a cipher). It is unreadable without a cipher to decrypt it. Related: Plaintext

CipherStash CLI

The command line tool for interacting with CipherStash services.

CipherStash Proxy

A database proxy that sits between an application and a database, enhancing your existing database with encryption in use. CipherStash Proxy works in-tandem with your existing infrastructure and is fully contained within your environment.
See our intro to CipherStash Proxy for details.

Client

A programmatic access point to a dataset. Each dataset can have multiple clients, but a client is associated with only one dataset.

Client ID

The unique identifier of a client.

Configured table

A table with configured columns and any queries that need to be mapped, parameters that require encryption and results that require decryption.

CTS

CipherStash Token Service.

Dashboard

The web interface for configuring and using CipherStash Proxy.
Available at dashboard.cipherstash.com.

Data access event

An event triggered by execution of SQL statments by CipherStash Proxy. Includes metadata of statements executed and records accessed.

Data access event log

An append-only log of data access events produced by the CipherStash Proxy and consumed by Audit.

Dataset

A storage unit for one or more database tables containing data for encryption. It includes configuration for encrypted columns and queryable indexes.

Downstream

The target database.

Encrypt Query Language (EQL)

Our open-source library for PostgreSQL users. It simplifies the process of encrypting and querying sensitive data, giving you powerful tools to encrypt data transparently at the field level, query encrypted data directly using familiar SQL commands, and leverage encrypted indexes for secure and efficient searches.

IDP

A third party identity provider, like Auth0, Okta, or Ping.

Mapped statement

A statement that has been transformed during encryption.

ORE (Order Revealing Encryption)

A searchable encryption technique allowing for search, comparison, and sorting of encrypted data without decryption.

Plaintext

Unencrypted information, readable by humans and computers.

Proxy

Searchable encrypted metadata

An encrypted data structure for finding records in encrypted columns. Essential for querying encrypted data, as it replaces the need for full table scans, improving performance. Note: This is a core feature of CipherStash, supporting range, exact, and match queries.

The act of creating a CipherStash account.

Statement AST

A transformed or parsed SQL statement.

Statement audit log

The log of an SQL statement. For SQL statements, records:

The statement executed (e.g. SELECT, INSERT etc)
The data returned or modified by the statement

Statement string

An SQL string.

Virtual schema

The database schema as it appears with Virtual Columns and without any of underlying cipherstash columns or tables. An example is the schema of a users table with encrypted email.
Schema:
users: [id, __email_encrypted]
Virtual schema:
users: [id, email]

ZeroKMS

A specialised key management service that provides high performance batch encryption and decryption, enabling a unique encryption key per field. See our intro to Zero trust key management for details.