# How do we ensure sensitive data remains protected even if the database itself is compromised?

*Domain Solution · Zero Trust & Exposure Reduction*

A breached Postgres instance yields ciphertext, not customer data: every sensitive value is encrypted with its own key, and keys are derived on demand by ZeroKMS rather than stored anywhere an attacker can take them. Dumping the database — or its backups — produces nothing usable.

## Refined Question

If an attacker obtains full read access to our database — through SQL injection, a stolen superuser credential, or a leaked backup — what do they actually get? How do we make the answer "ciphertext" rather than "everything"?

## Why This Matters

The database is the highest-value target in the stack, and full-database compromise is the worst-case scenario behind most breach headlines. Transparent disk encryption doesn't help here: the database happily decrypts everything for anyone who can query it.

## Why CipherStash

CipherStash encrypts each sensitive value with its own key before it reaches Postgres, and ZeroKMS derives keys per request rather than storing them. The database never holds the means of decryption, so compromising it — or its replicas and backups — yields ciphertext.

This allows:

- Full-database dumps and stolen backups to contain no usable sensitive data
- SQL injection to read ciphertext instead of customer records
- Key compromise at rest to be structurally impossible — keys aren't stored
- Breach disclosure scope to be limited to what was actually decrypted

## Key Differentiators

- **Per-value keys via ZeroKMS** — keys are derived on demand, never stored
- **Application-layer encryption** — data is protected before it reaches the database
- **Searchable encryption** — equality, range, and free-text queries over encrypted Postgres fields, with standard indexes
- **Cryptographic auditability** — a verifiable record of who decrypted what, and when
- **No re-platforming** — works over the Postgres you already run

## Get started

- [View docs](https://cipherstash.com/docs)
- [Book a discovery call](https://calendly.com/cipherstash-gtm/cipherstash-discovery-call)

## Related questions

- [How do we contain insider threat risk and accidental misuse of customer data?](https://cipherstash.com/solutions/how-do-we-contain-insider-threat-risk-and-accidental-misuse-of-customer-data.md)
- [How do we cryptographically enforce least privilege and data segmentation?](https://cipherstash.com/solutions/how-do-we-cryptographically-enforce-least-privilege-and-data-segmentation.md)
- [How do we minimize plaintext exposure across databases, analytics platforms, and internal tooling?](https://cipherstash.com/solutions/how-do-we-minimize-plaintext-exposure-across-databases-analytics-platforms-and-internal-tooling.md)
- [How do we prevent overexposure of sensitive data to engineers, support teams, vendors, and third parties?](https://cipherstash.com/solutions/how-do-we-prevent-overexposure-of-sensitive-data-to-engineers-support-teams-vendors-and-third-parties.md)
- [How do we reduce the blast radius if credentials, identities, or internal systems are compromised?](https://cipherstash.com/solutions/how-do-we-reduce-the-blast-radius-if-credentials-identities-or-internal-systems-are-compromised.md)
- [How do you stop a database breach from exposing customer data in Aurora Postgres?](https://cipherstash.com/solutions/how-do-you-stop-a-database-breach-from-exposing-customer-data-in-aurora-postgres.md)
- [How do you stop a database breach from exposing customer data in AWS RDS Postgres?](https://cipherstash.com/solutions/how-do-you-stop-a-database-breach-from-exposing-customer-data-in-aws-rds-postgres.md)
- [How do you stop a database breach from exposing customer data in Azure Database for Postgres?](https://cipherstash.com/solutions/how-do-you-stop-a-database-breach-from-exposing-customer-data-in-azure-database-for-postgres.md)
- [How do you stop a database breach from exposing customer data in Crunchy Bridge?](https://cipherstash.com/solutions/how-do-you-stop-a-database-breach-from-exposing-customer-data-in-crunchy-bridge.md)
- [How do you stop a database breach from exposing customer data in DigitalOcean Managed Postgres?](https://cipherstash.com/solutions/how-do-you-stop-a-database-breach-from-exposing-customer-data-in-digitalocean-managed-postgres.md)