Encrypted, searchable PII?
You better believe it.

CipherStash does the hard work to make securing your PII easy.

Built from the ground up to be secure, fast and easy to use.

Read the research paper

A new kind of data storage platform

When your code interacts with the CipherStash Data Platform, every query, insert and update is encrypted before it is sent across the network - and it is done so with keys that you control. This means that sensitive data is always protected but you can still search it using the kinds of queries you're familiar with.

Trailblazing encryption, in your hands

Where you store data matters

Whether it's in a traditional SQL database, a NoSQL store or search index, where and how you store sensitive data is paramount to keeping it secure. If data security is important to you then you probably already use encryption of some form or another but it might not be as secure as you think.

A diagram showing an encrypted data storage that is connected to an unencrypted database. The query "name.match(ace)" is executed and it is noted that the database is unencrypted and therefore readable by admins or attackers.File StorageData fully encrypted on diskEncryptedDecryptedname.match("ja")IDNameEmail123Jane Smith[email protected]Data readableby admins or attackersClientname.match("ja")Full query supportUnencrypted request
A diagram showing an encrypted data storage that is connected to an encrypted database. The query "doc.id = 123" is executed and it is noted that while the database is now encrypted there is no more complex query support.File StorageData fully encrypted on diskEncryptedDecrypteddoc.id = 123IDNameEmail123XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXEncrypted rowsClientdoc.id = 123No query supportUnencrypted request
A diagram showing an encrypted data storage that is connected to an encrypted database. A query is executed but we can't see it because it is encrypted as well as the database. It is noted that now both database and query are fully encrypted with full query support.File StorageData fully encrypted on diskEncryptedDecryptedXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXDatabase encryptedClientname.match("ja")Full query supportEncrypted request

The Problem

Transparent Data Encryption

Transparent Data Encryption (TDE) is a common approach that encrypts the underlying filesystem of your database. Clients can access data as normal but TDE offers only limited protection because in a running database, everything is decrypted.

Database records encrypted directly

One alternative is to encrypt every column and row in your database. While this offers good levels of security the ability to perform useful queries either disappears entirely or comes with major trade-offs. Records can only be retrieved by an unencrypted (or deterministic) primary key.

The Solution

CipherStash

CipherStash uses a searchable encryption scheme that means data is always encrypted (including field names) but remains searchable by clients with the appropriate key. Even the queries themselves are encrypted! This gives your sensitive data very high-levels of protection without compromising on usability.

Built from the start for security

CipherStash was designed from the start to meet very high-levels of security and compliance. Instead of building on top of existing relational-databases or search indexes (which have major security drawbacks, even when encrypted), CipherStash uses a fast, memory-mapped B-tree and an Order-Revealing Encryption scheme based on research from Stanford University.

Based on Industry Standard Cryptography

CipherStash is based on existing primitives like AES and SHA-256. It's actually kinda boring! But that means there is less to go wrong.

Read: Order Revealing Encryption

Snapshot Secure

CipherStash is resistant to "snapshot attacks" where an attacker can get a copy of your entire database system - including files, logs and a copy of all running memory.

AWS: Your account or ours?

CipherStash runs in AWS and allows you to host parts of the infrastructure in your own account.

Next generation authentication

Say goodbye to credentials in connection strings! Connect to CipherStash using flexible, secure auth schemes that don't require you to reinvent the wheel.

A diagram showing four boxes with the label Application, Authenticate Identity Provider, Encrypt/Decrypt and Data Service. The Application box is highlighted.Data ServiceAuthenticateIdentity ProviderEncrypt/DecryptApplicationTokenTokenData/Queryaf3d11ba1a1c
A diagram showing four boxes with the label Application, Authenticate Identity Provider, Encrypt/Decrypt and Data Service. It shows a highlighted arrow from the Application box to the Authenticate Identity Provider box which is highlighted.Data ServiceAuthenticateIdentity ProviderEncrypt/DecryptApplicationTokenTokenData/Queryaf3d11ba1a1c
A diagram showing four boxes with the label Application, Authenticate Identity Provider, Encrypt/Decrypt and Data Service. It shows an arrow back from the Authenticate Identity Provider box to the Application box labeled "Token" and an arrow from the Application box to the Encrypt/Decrypt which is highlighted. The arrow is labeled "Token".Data ServiceAuthenticateIdentity ProviderEncrypt/DecryptApplicationTokenTokenData/Queryaf3d11ba1a1c
A diagram showing four boxes with the label Application, Authenticate Identity Provider, Encrypt/Decrypt and Data Service. It shows two arrows from the Encrypt/Decrypt box to the Data Service box and back. The arrows are labeled with random tokens "af3d11" and "ba1a1c"Data ServiceAuthenticateIdentity ProviderEncrypt/DecryptApplicationTokenTokenData/Queryaf3d11ba1a1c

Your Application

Any NodeJS application can use CipherStash. Other languages and frameworks coming soon.

Authenticate

Your app authenticates to a supported Identity Provider. You can use your existing IdP or the one hosted by CipherStash. Both user and machine-to-machine flows are supported.

Supported Providers

More integrations coming soon

Encryption Service

Both documents and queries are encrypted (and decrypted) using the encryption service. We can fully manage for you (still with keys that you control) or you can manage the whole thing yourself (coming soon).

id: abc11c33Encrypted DocumentEnc(name)Enc(dob)Enc(email)Encrypted Indexes

Data Service

Documents are stored in the end-to-end, searchable encrypted data store which can then be queried with fully encrypted queries.

The Data Service is fully managed in the CipherStash cloud but never sees any data in the clear.

Text search over encrypted data

Partial or Exact Matches

CipherStash allows you to perform text searches over your data set with close to the performance of traditional data stores. Both the queries and the replies are encrypted end-to-end.

// Partial string match
await customers.all(
  customer => customer.name.match("Ada")
)

// Exact ("keyword") match
await customer.all(
  customer => employee.status.eq("active")
)

Range queries over encrypted data

Range Queries

Fetch all records that match a range condition such as integers greater than x or records before a timestamp.

// All customer signed up in the last 30 days
let monthAgo = new Date() - DAYS_30
let results = await customers.all(
  customer => customer.signedUpAt.gte(monthAgo)
)

Combinations!

Combine query types

Combine constraints on multiple fields or compose queries for great flexibility.

// All full-time employees paid over $100k
let results = await employees.all(
  employee =>
    all(
      employee.salary.gt(100000),
      employee.employment.eq("full-time")
    )
)

Read more in our Docs!

All the mod cons

Standard serialisation formats

CipherStash uses industry leading serialisation formats to reduce attack surface to mitigate attacks like:

Injection attacks

Stops data injection by strictly only supporting primitive data types

Privilege escalation

Stops attackers gaining Remote Code Execution through object deserialisation

Denial of Service attacks

Stops resource exhaustion by strictly dropping and logging badly formatted requests

Industry leading authentication

Say goodbye to credentials in connection strings!

CipherStash is built with industry leading third party identity providers, with a zero trust model, to mitigate vulnerabilities like:

Broken authentication

Limit impact of compromised credentials and account takeovers — involved in 20% of all breaches

Broken access controls

Limit privilege escalation, through strictly scoped credentials.

TLS everywhere

Take transport layer security to the next level by terminating in the database itself, mitigating attacks like:

Sensitive data exposure

Queries are encrypted, and encrypted again on the wire to and from CipherStash

Injection attacks

Responses are encrypted on the wire to stop attackers interfering with your query responses.

Replay attacks

CipherStash strictly uses Forward Secrecy ciphers (ECDHE, DHE) with TLS >=1.2 to ensure compromised keys don’t result in total data exposure.