CipherStashDocs

Configuration

Configure ZeroKMS for local development and production, including workspace CRN, client and access keys, and keysets for multi-tenant key isolation.

KMS configuration

Local development

For local development, ZeroKMS credentials are handled automatically by device-based authentication. Run npx stash init to set up your device — see Getting started.

Production credentials

In production and CI/CD environments, ZeroKMS is configured through the same credentials used by the Encryption SDK. The CS_WORKSPACE_CRN identifies your workspace in CRN format (e.g., crn:ap-southeast-2.aws:your-workspace-id).

For the full configuration reference (environment variables, programmatic config, and logging), see Encryption SDK configuration.

The following credentials are required for production:

  • Workspace CRN: identifies your workspace and region
  • Client ID: identifies your application client key
  • Client key: your half of the dual-party key split
  • Access key: API key for authenticating with CipherStash

See Going to production for a step-by-step guide to generating these credentials.

Keysets

To use a specific keyset for multi-tenant isolation, pass the keyset option:

const client = await Encryption({
  schemas: [users],
  config: {
    keyset: { name: "tenant-a" },
  },
})

See Keysets for more details on multi-tenant key isolation.

ZeroKMS

100x faster key management. Unique key per value, derived on demand, never stored. Backed by AWS KMS.

Access keys

Create and manage CipherStash access keys for programmatic access to CipherStash Services like ZeroKMS, with member, control, and admin roles and their available scopes.

On this page

KMS configurationLocal developmentProduction credentialsKeysets