CipherStashDocs

ZeroKMS

100x faster key management. Unique key per value, derived on demand, never stored. Backed by AWS KMS.

ZeroKMS is the key management layer that powers Encryption and Secrets (coming soon). Every encrypted value gets its own unique key. Keys derived on demand, never stored. Identity and policy baked into every key.

100x faster than AWS KMS.

Zero-knowledge by design

Existing key management solutions reveal either data or keys to intermediaries. ZeroKMS uses proxy symmetric re-encryption (patent pending) on its authority key to produce a key seed, which it returns to the application. The application processes that seed with its own client key and derives the data key locally. Data keys are never seen by third parties, and never sent across the network. Neither is the client key.

How it works

  • Unique key per value: Each encrypted field uses a distinct data encryption key, not a shared table-level key. The application requests a seed by key ID, which is what gives each data key its identity.
  • AWS KMS backed: The authority key is encrypted at rest under an AWS KMS root key. No per-value data key is ever wrapped or stored.
  • Zero-knowledge: CipherStash never sees your plaintext data, your client key, or an unwrapped data key. ZeroKMS returns a key seed; only your application can turn that seed into a data key, because only your application holds the client key.
  • Multi-tenant isolation: Use keysets to isolate encryption keys per tenant, customer, or business unit.
  • Bulk operations: ZeroKMS supports bulk encryption and decryption operations, enabling a unique data key per record without sacrificing performance.
  • Multi-region: ZeroKMS is highly available and deployed in multiple cloud regions globally. It can also be deployed within your own cloud account or on-prem.

Key Sets

Key Sets are ZeroKMS's core primitive for cryptographic isolation. A keyset is the unit of isolation. Data encrypted under one keyset cannot be decrypted with another.

Keysets are managed in the CipherStash Dashboard as a cloud primitive. How you use them is up to your architecture:

  • Tenant isolation: one keyset per customer or business unit, giving per-tenant cryptographic boundaries with zero key management overhead. See Encryption configuration.
  • Environment isolation: separate keysets for production, staging, and development. Secrets (coming soon) maps its environment parameter to a keyset automatically.
  • Regional or compliance boundaries: isolate data by jurisdiction or regulatory requirement.
  • Any boundary your application needs: keysets are general-purpose. Combine them however your architecture requires.

Read the whitepaper

If you'd like to learn more about ZeroKMS, read the whitepaper on the Trust Center.

Next steps

On this page