Encrypt tool
Use the encrypt CLI tool to encrypt existing data or apply index changes after updating CipherStash Proxy encryption configuration.
CipherStash Proxy includes an encrypt tool, a CLI application to encrypt existing plaintext data or apply index changes after updating the encryption configuration of a protected database.
Usage
Encrypt data from a source column into a specified encrypted target column. The tool connects to CipherStash Proxy using the cipherstash.toml configuration or environment variables.
cipherstash-proxy encrypt [OPTIONS] --table <TABLE> --columns <SOURCE_COLUMN=TARGET_COLUMN>...How it works
The process for encrypting a column is:
- Add a new encrypted destination column with the appropriate encryption configuration.
- Use CipherStash Proxy to process the migration:
- Select from the original plaintext column.
- Update the encrypted column with the plaintext value.
- Drop the original plaintext column.
- Rename the encrypted column to the original plaintext column name.
The encrypt tool automates this process. Updates run in batches of 100 records (configurable via --batch-size). The process is idempotent and can be run repeatedly.
Configuration options
| Option | Description | Default |
|---|---|---|
-t, --table | Specifies the table to migrate | Required |
-c, --columns | List of columns to migrate (space-delimited key=value pairs) | Required |
-k, --primary-key | List of primary key columns (space-delimited) | id |
-b, --batch-size | Number of records to process at once | 100 |
-d, --dry-run | Loads data but does not perform updates | Optional |
-v, --verbose | Turns on additional logging output | Optional |
-h, --help | Displays help message | — |
Examples
These examples assume a running CipherStash Proxy instance and a users table with:
id: the primary key columnemail: the source plaintext columnencrypted_email: the destination column configured for encrypted text
Encrypt a column
cipherstash-proxy encrypt --table users --columns email=encrypted_emailSpecify a primary key column
cipherstash-proxy encrypt --table users --columns email=encrypted_email --primary-key user_idCompound primary key
cipherstash-proxy encrypt --table users --columns email=encrypted_email --primary-key user_id tenant_idSearchable JSON functions and operators
Query encrypted JSONB through CipherStash Proxy using supported operators, path functions, and the ste_vec index, with setup and known limitations.
Audit features
Statement fingerprinting, SQL redaction, primary key injection, and record reconciliation in CipherStash Proxy