CipherStashDocs

/ENCRYPTION

Searchable field-level encryption. Range queries, exact match, and free-text search over ciphertext with sub-millisecond overhead.

Searchable field-level encryption for Postgres. Every value encrypted with its own unique key via ZeroKMS. Range queries, exact match, free-text fuzzy search, and JSON queries over ciphertext. Sub-millisecond overhead on existing indexes.

This is the primitive everything else depends on.

What you get

  1. Unique key per value. Not a shared table key. Each field gets its own data encryption key, derived via ZeroKMS.
  2. Searchable encryption. Exact match, free-text search, range queries, and ordering over ciphertext in PostgreSQL.
  3. Encrypted JSONB. Query encrypted JSON fields using JSONPath selectors and containment operators.
  4. Bulk operations. Encrypt or decrypt thousands of values in a single ZeroKMS call.
  5. Identity-aware encryption. Tie encryption to a user's JWT. Only that user decrypts their data.
  6. Tenant isolation via keysets. One keyset per customer. Provable cryptographic separation, not policy enforcement.
  7. TypeScript-first. Strongly typed schemas, results, and model operations.

How it works

  1. Initialize your project: Run npx stash init to authenticate, install EQL, scaffold the encryption client, and write .cipherstash/context.json.
  2. Draft a plan: Run npx stash plan to hand off to a coding agent, which produces a reviewable plan at .cipherstash/plan.md.
  3. Execute the plan: Run npx stash impl to confirm the plan and let the agent wire up encryption in your codebase.
  4. Encrypt and store: Encrypt values before writing to your database.
  5. Query encrypted data: Encrypt query terms and run them against your encrypted columns.
  6. Decrypt on read: Decrypt values when reading from the database.

All key management (key generation, derivation, and isolation) is handled by ZeroKMS. Encryption keys are organized into Key Sets, the same primitive that will power Secrets (coming soon) environment isolation.

Integration paths

Encryption SDKCipherStash Proxy
Best forTeams who want fine-grained control over data encryption directly in their applicationDevOps teams who want to add encryption to existing PostgreSQL apps with little to no code changes
Setupnpx stash initDocker container, configure environment variables
DatabasePostgreSQL (full searchable encryption)PostgreSQL (transparent proxy)

Performance

  • Latency: < 5ms overhead for most operations (benchmarks)
  • Throughput: Scales with your application performance
  • Setup time: Running in local dev in < 1 hour, production in < 3 days

CipherStash CLI

CipherStash CLI (stash) is the dev-time CLI for setting up your database. It handles installing the EQL extension, validating schemas, and managing the encryption lifecycle. Think of it like Drizzle Kit or Prisma CLI: a companion tool that sets up the database while @cipherstash/stack handles runtime encryption.

stash init scaffolds the encryption client, installs EQL, and writes .cipherstash/context.json. Then run stash plan to draft an encryption plan and stash impl to execute it.

npx stash init             # Interactive project setup (auth, EQL install, client scaffold)
npx stash plan             # Draft a reviewable encryption plan
npx stash impl             # Execute the plan with a coding agent
npx stash db validate      # Check schema for misconfigurations
npx stash db status        # Show EQL installation state

Get started with the CLI

Install EQL, validate schemas, and manage your database setup.

Interactive setup

Set up the CLI in your project with the interactive init command.

Next steps

Getting started

Go from zero to encrypted in under 5 minutes.

Schema definition

Define which columns to encrypt and what queries to support.

Searchable encryption

Run queries on encrypted data in PostgreSQL.

CipherStash Proxy

Transparent encryption proxy. No code changes required.

Configuration

Configure the @cipherstash/stack encryption SDK with environment variables or programmatic config, covering credentials, keysets, logging, and bundlers.

On this page

What you getHow it worksIntegration pathsPerformanceCipherStash CLINext steps