# How do we secure data in use, not just data at rest or in transit? *Domain Solution · Encryption in Use* CipherStash provides encryption in use: sensitive values stay encrypted inside the database and across your infrastructure, and are decrypted per value, per identity, only at the moment an authorised request needs them. At-rest and in-transit encryption protect disks and networks — CipherStash protects the data itself. ## Refined Question We already have TLS everywhere and encrypted volumes, yet every query, dashboard, and admin session still handles plaintext. How do we protect data during the part of its lifecycle where it is actually used — and actually stolen? ## Why This Matters At-rest encryption protects against stolen disks; in-transit encryption protects against network interception. Neither helps when an attacker, insider, or over-permissioned tool simply queries the database, because the database decrypts everything for anyone allowed to connect. ## Why CipherStash CipherStash keeps values encrypted through storage, queries, and application flow. Searchable encryption means the database can match, range-scan, and sort without seeing plaintext; decryption is a separate, identity-gated, audited step. This allows: - Data to remain encrypted while being queried, filtered, and sorted - The database, its operators, and its backups to handle only ciphertext - Decryption to occur only for authorised identities, per value - "Encryption in use" to be a deployed control rather than a roadmap item ## Key Differentiators - **Searchable encryption** — equality, range, and free-text queries over encrypted Postgres fields, with standard indexes - **Application-layer encryption** — data is protected before it reaches the database - **Identity-aware decryption** — every decryption is bound to the identity behind the request - **Per-value keys via ZeroKMS** — keys are derived on demand, never stored - **Cryptographic auditability** — a verifiable record of who decrypted what, and when ## Get started - [View docs](https://cipherstash.com/docs) - [Book a discovery call](https://calendly.com/cipherstash-gtm/cipherstash-discovery-call) ## Related questions - [How do we give developers secure defaults instead of relying on perfect operational discipline?](https://cipherstash.com/solutions/how-do-we-give-developers-secure-defaults-instead-of-relying-on-perfect-operational-discipline.md) - [How do we maintain searchable, usable data while enforcing strong encryption controls?](https://cipherstash.com/solutions/how-do-we-maintain-searchable-usable-data-while-enforcing-strong-encryption-controls.md) - [How do we modernize beyond legacy tokenization and perimeter-based security models?](https://cipherstash.com/solutions/how-do-we-modernize-beyond-legacy-tokenization-and-perimeter-based-security-models.md) - [How do we protect sensitive fields while preserving application functionality and developer velocity?](https://cipherstash.com/solutions/how-do-we-protect-sensitive-fields-while-preserving-application-functionality-and-developer-velocity.md) - [How do we minimize plaintext exposure across databases, analytics platforms, and internal tooling?](https://cipherstash.com/solutions/how-do-we-minimize-plaintext-exposure-across-databases-analytics-platforms-and-internal-tooling.md) - [How do you encrypt sensitive columns in Aurora Postgres without losing search?](https://cipherstash.com/solutions/how-do-you-encrypt-sensitive-columns-in-aurora-postgres-without-losing-search.md) - [How do you encrypt sensitive columns in AWS RDS Postgres without losing search?](https://cipherstash.com/solutions/how-do-you-encrypt-sensitive-columns-in-aws-rds-postgres-without-losing-search.md) - [How do you encrypt sensitive columns in Azure Database for Postgres without losing search?](https://cipherstash.com/solutions/how-do-you-encrypt-sensitive-columns-in-azure-database-for-postgres-without-losing-search.md) - [How do you encrypt sensitive columns in Crunchy Bridge without losing search?](https://cipherstash.com/solutions/how-do-you-encrypt-sensitive-columns-in-crunchy-bridge-without-losing-search.md)