# How do we protect sensitive fields while preserving application functionality and developer velocity? *Domain Solution · Encryption in Use* CipherStash adds field-level encryption through a TypeScript-native SDK or a drop-in Postgres proxy, with searchable encryption keeping equality, range, and free-text queries working. Developers keep their ORM, their schema, and their shipping cadence — the platform handles keys, policy, and audit. ## Refined Question Every serious attempt to encrypt sensitive fields seems to break something: queries stop working, ORMs fight back, or feature work stalls behind a security project. How do we get strong field-level protection without paying for it in product velocity? ## Why This Matters Security controls that slow delivery get bypassed, deferred, or quietly scoped down. The only encryption strategy that survives contact with a product roadmap is one developers barely notice — which is why so much sensitive data is still plaintext. ## Why CipherStash CipherStash was built application-first. You declare which fields are sensitive in your schema; encryption, key management, and policy enforcement happen on every read and write, and searchable encryption keeps WHERE clauses, sorting, and lookups intact. This allows: - Existing queries and ORM integrations (including Drizzle and Supabase) to keep working - Schema-level declarations instead of hand-rolled crypto code - Features to ship at the same cadence, with encryption on by default - Security teams to set policy without sitting in the delivery path ## Key Differentiators - **Searchable encryption** — equality, range, and free-text queries over encrypted Postgres fields, with standard indexes - **TypeScript-native SDK** — `@cipherstash/stack` drops into existing applications and ORMs - **Drop-in Postgres proxy** — encryption in use for services that can't integrate an SDK - **Per-value keys via ZeroKMS** — keys are derived on demand, never stored - **No re-platforming** — works over the Postgres you already run ## Get started - [View docs](https://cipherstash.com/docs) - [Book a discovery call](https://calendly.com/cipherstash-gtm/cipherstash-discovery-call) ## Related questions - [How do we give developers secure defaults instead of relying on perfect operational discipline?](https://cipherstash.com/solutions/how-do-we-give-developers-secure-defaults-instead-of-relying-on-perfect-operational-discipline.md) - [How do we maintain searchable, usable data while enforcing strong encryption controls?](https://cipherstash.com/solutions/how-do-we-maintain-searchable-usable-data-while-enforcing-strong-encryption-controls.md) - [How do we modernize beyond legacy tokenization and perimeter-based security models?](https://cipherstash.com/solutions/how-do-we-modernize-beyond-legacy-tokenization-and-perimeter-based-security-models.md) - [How do we secure data in use, not just data at rest or in transit?](https://cipherstash.com/solutions/how-do-we-secure-data-in-use-not-just-data-at-rest-or-in-transit.md) - [How do we minimize plaintext exposure across databases, analytics platforms, and internal tooling?](https://cipherstash.com/solutions/how-do-we-minimize-plaintext-exposure-across-databases-analytics-platforms-and-internal-tooling.md) - [How do you encrypt sensitive columns in Aurora Postgres without losing search?](https://cipherstash.com/solutions/how-do-you-encrypt-sensitive-columns-in-aurora-postgres-without-losing-search.md) - [How do you encrypt sensitive columns in AWS RDS Postgres without losing search?](https://cipherstash.com/solutions/how-do-you-encrypt-sensitive-columns-in-aws-rds-postgres-without-losing-search.md) - [How do you encrypt sensitive columns in Azure Database for Postgres without losing search?](https://cipherstash.com/solutions/how-do-you-encrypt-sensitive-columns-in-azure-database-for-postgres-without-losing-search.md) - [How do you encrypt sensitive columns in Crunchy Bridge without losing search?](https://cipherstash.com/solutions/how-do-you-encrypt-sensitive-columns-in-crunchy-bridge-without-losing-search.md)