CipherStash ProxyRead the getting started guide 

Key management built for scale and zero trust

Create a unique key for every single record, authenticate users and applications, and log every access. A perfect complement to CipherStash Proxy, but can also be used with any database or application.

Introducing ZeroKMS.

Traditional key management systems are not designed for the zero trust future. ZeroKMS is.
ZeroKMS is a key management system. It is built to be used with CipherStash Proxy, but can also be used with any database or application.

Zero Trust key management

Unique key per record

ZeroKMS generates a unique key for every record in your database. This level of granularity hasn’t previously been realistic because traditional solutions like AWS KMS perform one network round-trip per key request.

Composite keys are used to manage decryption, meaning no single entity, whether client or server, can see the complete decryption key. Complete keys are never sent over the network.

Encryption-as-Access-Control

Fine-grained control and visibility

Every access to your data is logged, including the identity of the user or application, the time of the access, and the data that was accessed.

Ingest the encrypted access log into your SIEM or log management system to ensure you have visibility of every access to your data.

Deployment options.

Use the CipherStash managed ZeroKMS or deploy on-premises.

Diagram comparing an application's database connection without and with CipherStash Proxy. On the left, data is shown as plain text and mentions potential data leaks. On the right, with Tandem, data is encrypted and secured, indicating protection from untrusted or compromised clients.

Managed service

CipherStash manages ZeroKMS for you. We take care of security, availability, and scalability.

Quickly validate ZeroKMS in your environment, and deploy to production in minutes.

Diagram comparing an application's database connection without and with CipherStash Proxy. On the left, data is shown as plain text and mentions potential data leaks. On the right, with Tandem, data is encrypted and secured, indicating protection from untrusted or compromised clients.

On-premise deployment

Deploy ZeroKMS on-premise, in your own cloud account, or even on your own hardware.

ZeroKMS is built as a docker container, so it can be deployed anywhere.

Key management ready for a zero trust future.

Safer cloud deployments

ZeroKMS uses composite keys to manage decryption, meaning no single entity, whether client or server, can see the complete decryption key. Complete keys are never sent over the network.

One record. One key.

ZeroKMS enables fine-grained access control by generating a unique data-key per record. This level of granularity hasn’t previously been realistic because traditional solutions like AWS KMS perform one network round-trip per key request.

Per request identity checks

ZeroKMS integrates with OpenID authentication providers such as Auth0, enabling per request—not just per session—identity checks.

Atomic decryption operations

ZeroKMS guarantees that policy checks and audit logging always occur if decryption is successful. If any check or logging fails, the decryption also fails.

Immediate key revocation

Revoke keys immediately, without the need for re-encryption.

Pairs with CipherStash Proxy

CipherStash Proxy is a Postgres proxy.It uses ZeroKMS for decryption operations, making ZeroKMS your secure single source of truth for fine-grained data access control.

Looking to get started?

Check us out on Github, or book a discovery call to learn more.