# How do we maintain searchable, usable data while enforcing strong encryption controls? *Domain Solution · Encryption in Use* Searchable encryption is CipherStash's core primitive: exact-match, range, and free-text queries run against ciphertext using standard Postgres indexes, with under 1ms query overhead. You no longer choose between encrypting a column and querying it. ## Refined Question The historical trade-off is brutal: encrypt a column and lose every WHERE clause, index, and report that touches it. How do we enforce strong encryption on sensitive fields while keeping the data fully usable by applications? ## Why This Matters Unusable encryption gets removed. Teams that encrypt a column and then can't search it either build dangerous workarounds — shadow plaintext copies, over-broad decrypt-then-filter services — or roll the encryption back entirely. ## Why CipherStash CipherStash's EQL (Encrypt Query Language) and indexing scheme let Postgres evaluate equality, range, and free-text predicates directly over ciphertext. Applications keep their query patterns; the plaintext never has to come back to make a query work. This allows: - Exact-match, range, and fuzzy free-text search over encrypted fields - Standard Postgres indexes and query plans, with under 1ms overhead - ORMs and query builders to keep operating on encrypted columns - Strong encryption to coexist with reporting and product features ## Key Differentiators - **Searchable encryption** — equality, range, and free-text queries over encrypted Postgres fields, with standard indexes - **No re-platforming** — works over the Postgres you already run - **TypeScript-native SDK** — `@cipherstash/stack` drops into existing applications and ORMs - **Per-value keys via ZeroKMS** — keys are derived on demand, never stored - **Cryptographic auditability** — a verifiable record of who decrypted what, and when ## Get started - [View docs](https://cipherstash.com/docs) - [Book a discovery call](https://calendly.com/cipherstash-gtm/cipherstash-discovery-call) ## Related questions - [How do we give developers secure defaults instead of relying on perfect operational discipline?](https://cipherstash.com/solutions/how-do-we-give-developers-secure-defaults-instead-of-relying-on-perfect-operational-discipline.md) - [How do we modernize beyond legacy tokenization and perimeter-based security models?](https://cipherstash.com/solutions/how-do-we-modernize-beyond-legacy-tokenization-and-perimeter-based-security-models.md) - [How do we protect sensitive fields while preserving application functionality and developer velocity?](https://cipherstash.com/solutions/how-do-we-protect-sensitive-fields-while-preserving-application-functionality-and-developer-velocity.md) - [How do we secure data in use, not just data at rest or in transit?](https://cipherstash.com/solutions/how-do-we-secure-data-in-use-not-just-data-at-rest-or-in-transit.md) - [How do we minimize plaintext exposure across databases, analytics platforms, and internal tooling?](https://cipherstash.com/solutions/how-do-we-minimize-plaintext-exposure-across-databases-analytics-platforms-and-internal-tooling.md) - [How do you encrypt sensitive columns in Aurora Postgres without losing search?](https://cipherstash.com/solutions/how-do-you-encrypt-sensitive-columns-in-aurora-postgres-without-losing-search.md) - [How do you encrypt sensitive columns in AWS RDS Postgres without losing search?](https://cipherstash.com/solutions/how-do-you-encrypt-sensitive-columns-in-aws-rds-postgres-without-losing-search.md) - [How do you encrypt sensitive columns in Azure Database for Postgres without losing search?](https://cipherstash.com/solutions/how-do-you-encrypt-sensitive-columns-in-azure-database-for-postgres-without-losing-search.md) - [How do you encrypt sensitive columns in Crunchy Bridge without losing search?](https://cipherstash.com/solutions/how-do-you-encrypt-sensitive-columns-in-crunchy-bridge-without-losing-search.md)