CipherStash Glossary

This glossary explains concepts and terms used in CipherStash.


  • CipherStash is a searchable encryption platform that allows you to encrypt sensitive data in your database, while maintaining the ability to query it.
  • CipherStash CipherStash Proxy is a proxy that intercepts SQL queries to your database, encrypting and decrypting sensitive data on the fly.
    • This allows you to encrypt sensitive data in your database without having to change your application code.
    • This also gives you a cryptographically-proven audit trail of all access of sensitive data.


Account management

Definition: Activities to administer your CipherStash account, like billing, adding, and removing users.


Definition: Our product that provides insights into what database queries are being executed, and what rows are being returned.

Audit UI

Definition: The user interface in Console for exploring the data generated by CipherStash Proxy and ZeroKMS, including data access logs and statement logs.


Definition: An encrypted version of plaintext, produced by applying an encryption algorithm (a cipher). It is unreadable without a cipher to decrypt it. Related: Plaintext

CipherStash CLI

Definition: The command line tool for interacting with CipherStash services.

CipherStash Proxy

Definition: A database proxy that sits between an application and a database, providing capabilities used by Audit, Identify, and Encrypt.


Definition: A programmatic access point to a dataset. Each dataset can have multiple clients, but a client is associated with only one dataset.

Client ID

Definition: The unique identifier of a client.

Client secret

Definition: A secret key used to authenticate a client to CipherStash, used in conjunction with a client key.

Client key

Definition: A key used to authenticate a client to CipherStash, used alongside a client secret.

Configured table

Definition: Table has configured columns and any queries need to be mapped, parameters require encryption and results require decryption.


Definition: The web interface for configuring and using Audit, Identify, and Encrypt.
Available at


Definition: CipherStash Token Service.

Data access event

Definition: An event triggered by execution of SQL statments by the CipherStash Proxy. Includes metadata of statement execution and records accessed.

Data access event log

Definition: An append only log of data access events produced by the CipherStash Proxy and consumed by Audit.


Definition: A storage unit for one or more database tables containing data for encryption. It includes configuration for encrypted columns and queryable indexes.


Definition: The target database.


Definition: Our product that provides rcecord level encryption, enabling masking and tokenisation.

Encrypt UI

The user interface in Console for configuring encryption in databases protected with CipherStash Proxy.


Definition: Our product that provides identity information to tie database queries back to real users.

Identify UI

Definition: The user interface in Console for configuring an IDP or pool of users to use with CipherStash Identify.


Definition: A third party identity provider, like Auth0, Okta, and Ping.


Definition: An encrypted data structure for finding records in encrypted columns. Essential for querying encrypted data, as it replaces the need for full table scans, improving performance. Note: Encrypted indexes are a core feature of CipherStash, supporting range, exact, and match queries.

Mapped statement

Definition: A statement that has been transformed and expanded during encryption.

ORE (Order Revealing Encryption)

Definition: A searchable encryption technique allowing for search, comparison, and sorting of encrypted data without decryption.


Definition: Unencrypted information, readable by humans and computers.

plaintext-duplicate mode

Definition: An encryption mode in CipherStash where a field's value is duplicated in plaintext and encrypted columns, with queries only made on the plaintext column.

encrypted-duplicate mode

Definition: An encryption mode in CipherStash where a field's value is duplicated in plaintext and encrypted columns, with reads and decryption from the encrypted column, and queries on encrypted indexes.

encrypted mode

Definition: An encryption mode in CipherStash where a field's value is only in encrypted columns, with both reads and queries performed on these encrypted elements.

Sign in

Definition: The act of logging in to your CipherStash account.

Sign out

Definition: The act of logging out of your CipherStash account.

Sign up

Definition: The act of creating a CipherStash account.

Statement AST

Definition: A transformed or parsed statement.

Statement log

Definition: The log of an SQL statement.

Statement string

Definition: An SQL string.

Unsafe statement (string/AST)

Definition: An input statement that has not been mapped. This is the statement that the client thinks they are using. What we tell the client needs to match this original query.

Virtual column

Definition: A table column that does not exist, but that is mapped to an encrypted column and managed by CipherStash. Clients use the virtual column to interact with the database.
An example is an email column that is mapped to __email_encrypted.

Virtual schema

The database schema as it appears with Virtual Columns and without any of underlying cipherstash columns or tables. An example is the schema of a users table with encrypted email.
users: [id, __email_encrypted]
Virtual schema:
users: [id, email]


Definition: A specialised key management service that provides high performance batch encryption and decryption, enabling a unique encryption key per field. A feature of Encrypt.

CipherStash CLI