Zero trust KMS

ZeroKMS is a key management service that supports bulk operations, unique data keys per encryption, and fine-grained access control with the CipherStash Token Service.

Introducing ZeroKMS

Traditional key management systems are not designed for the zero trust future. ZeroKMS is.
ZeroKMS is a key management system. It is built to be used with CipherStash Proxy, but can also be used with any database or application.

Zero Trust key management

Unique key per record

ZeroKMS generates a unique key for every record in your database. This level of granularity hasn’t previously been realistic because traditional solutions like AWS KMS perform one network round-trip per key request.

Composite keys are used to manage decryption, meaning no single entity, whether client or server, can see the complete decryption key. Complete keys are never sent over the network.

Encryption-as-Access-Control

Fine-grained control and visibility

Every access to your data is logged, including the identity of the user or application, the time of the access, and the data that was accessed.

Ingest the encrypted access log into your SIEM or log management system to ensure you have visibility of every access to your data.

Deployment options.

Use the CipherStash managed ZeroKMS or deploy on-premises.

Diagram comparing an application's database connection without and with CipherStash Proxy. On the left, data is shown as plain text and mentions potential data leaks. On the right, with Tandem, data is encrypted and secured, indicating protection from untrusted or compromised clients.

Managed service

CipherStash manages ZeroKMS for you. We take care of security, availability, and scalability.

Quickly validate ZeroKMS in your environment, and deploy to production in minutes.

Diagram comparing an application's database connection without and with CipherStash Proxy. On the left, data is shown as plain text and mentions potential data leaks. On the right, with Tandem, data is encrypted and secured, indicating protection from untrusted or compromised clients.

On-premise deployment

Deploy ZeroKMS on-premise, in your own cloud account, or even on your own hardware.

ZeroKMS is built as a docker container, so it can be deployed anywhere.

Key management ready for a zero trust future.

Safer cloud deployments

ZeroKMS uses composite keys to manage decryption, meaning no single entity, whether client or server, can see the complete decryption key. Complete keys are never sent over the network.

One record. One key.

ZeroKMS enables fine-grained access control by generating a unique data-key per record. This level of granularity hasn’t previously been realistic because traditional solutions like AWS KMS perform one network round-trip per key request.

Per request identity checks

ZeroKMS integrates with OpenID authentication providers such as Auth0, enabling per request—not just per session—identity checks.

Atomic decryption operations

ZeroKMS guarantees that policy checks and audit logging always occur if decryption is successful. If any check or logging fails, the decryption also fails.

Immediate key revocation

Revoke keys immediately, without the need for re-encryption.

Pairs with CipherStash Proxy

CipherStash Proxy is a Postgres proxy.It uses ZeroKMS for decryption operations, making ZeroKMS your secure single source of truth for fine-grained data access control.

Start protecting your data

Get started by creating a free account and choosing your integration path, or get in touch to learn more.

Start encrypting dataRequest a demo