CipherStash QX
Searchable Encrypted Database

QX is a high-performance, fully-encrypted, document oriented database
designed for ease-of-use and maximum protection.

Get started for free

Maximum Data Protection

With QX, every query, insert and update is encrypted before it is sent across the network using keys that you control. Sensitive data is both protected and searchable.

Encryption-at-Rest is Broken

You've probably heard of encryption-at-rest.
Did you know that it is not enough to prevent data breaches?

A diagram showing an encrypted data storage that is connected to an unencrypted database. The query "name.match(ace)" is executed and it is noted that the database is unencrypted and therefore readable by admins or attackers.File StorageData fully encrypted on diskEncryptedDecryptedname.match("ja")IDNameEmail123Jane Smithjane@example.comData readableby admins or attackersClientname.match("ja")Full query supportUnencrypted request
A diagram showing an encrypted data storage that is connected to an encrypted database. The query "doc.id = 123" is executed and it is noted that while the database is now encrypted there is no more complex query support.File StorageData fully encrypted on diskEncryptedDecrypteddoc.id = 123IDNameEmail123XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXEncrypted rowsClientdoc.id = 123No query supportUnencrypted request
A diagram showing an encrypted data storage that is connected to an encrypted database. A query is executed but we can't see it because it is encrypted as well as the database. It is noted that now both database and query are fully encrypted with full query support.File StorageData fully encrypted on diskEncryptedDecryptedXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXDatabase encryptedClientname.match("ja")Full query supportEncrypted request

The Problem

Encryption-at-Rest

Encryption-at-Rest encrypts sensitive files on disk. But in a running database, data is decrypted whenever a query is run.

It's like leaving the key in the lock.

Encrypt every record?

Alternatively, records could be encrypted externally before being stored in the database.

But now data can't be queried!

The Solution

CipherStash QX

QX uses searchable encryption so that data is always encrypted and fully searchable.

We call this Encryption-in-Use.

Built for Security

QX is designed to meet very high-levels of security and compliance.

Standards Based

QX is based on existing standards like AES. Nothing fancy means there is less to go wrong.

Github Repo

70 nanoseconds

Is how long a comparison takes in QX. And because it uses B-Trees, queries are super snappy.

Built with Rust

Rust's memory model and compiler guarantees make it perfect for security.

Open-ID ❤️

Say goodbye to credentials in connection strings! QX uses OpenID and JWTs to authorize clients.

A diagram showing four boxes with the label Application, Authenticate Identity Provider, Encrypt/Decrypt and Data Service. The Application box is highlighted.QXIdentity ProviderEncrypt/DecryptApplicationTokenTokenData/Queryaf3d11ba1a1c
A diagram showing four boxes with the label Application, Authenticate Identity Provider, Encrypt/Decrypt and Data Service. It shows a highlighted arrow from the Application box to the Authenticate Identity Provider box which is highlighted.QXIdentity ProviderEncrypt/DecryptApplicationTokenTokenData/Queryaf3d11ba1a1c
A diagram showing four boxes with the label Application, Authenticate Identity Provider, Encrypt/Decrypt and Data Service. It shows an arrow back from the Authenticate Identity Provider box to the Application box labeled "Token" and an arrow from the Application box to the Encrypt/Decrypt which is highlighted. The arrow is labeled "Token".QXIdentity ProviderEncrypt/DecryptApplicationTokenTokenData/Queryaf3d11ba1a1c
A diagram showing four boxes with the label Application, Authenticate Identity Provider, Encrypt/Decrypt and Data Service. It shows two arrows from the Encrypt/Decrypt box to the Data Service box and back. The arrows are labeled with random tokens "af3d11" and "ba1a1c"QXIdentity ProviderEncrypt/DecryptApplicationTokenTokenData/Queryaf3d11ba1a1c

Your Application

Any NodeJS, Ruby or Rust application can use QX.
Other languages and frameworks coming soon.

Authenticate

Clients authenticate to QX using OpenID.
Use can even your own idenity provider.

Encryption

Records are encrypted using searchable encryption.

id: abc11c33Encrypted DocumentEnc(name)Enc(dob)Enc(email)Encrypted Indexes

QX

Data sent to QX is encrypted.
It is never decrypted until it's returned to the application.

Text search over encrypted data

Partial or Exact Matches

Search with fuzzy or partial string comparisons.

Or lookup records by exact values.

// Partial string match
await customers.all(
  customer => customer.name.match("Ada")
)

// Exact ("keyword") match
await customer.all(
  customer => employee.status.eq("active")
)

Range queries over encrypted data

Range Queries

Retrieve ranges of data for numeric and date types.

// All customer signed up in the
// last 30 days
let monthAgo = new Date() - DAYS_30
let results = await customers.all(
  customer =>
  	customer.signedUpAt.gte(monthAgo)
)

Combinations!

Combine query types

Combine constraints on multiple fields or compose queries for great flexibility.

// All full-time employees paid over $100k
let results = await employees.all(
  employee =>
    all(
      employee.salary.gt(100000),
      employee.employment.eq("full-time")
    )
)

Read more in our Docs!

Don't take our word for it.

This is what people are saying about CipherStash:

Had a great chat this arvo with @danieldraper about @cipherstash

If I was founding something new today I'd be super duper likely to use this to replace my "user.[rb|ts]"

I love how it gives you a PII vault but with flexibility around querying.

Twitter profile picture of John Barton
John Barton
CTO, Amber Electric

I am still on a high after talking with @danieldraper and @auxesis yesterday. The stuff they are building at @cipherstash is incredible.

Making it trivial to do field level encryption in any DB is one thing. But making it still possible to do a full text search is quite another

Twitter profile picture of Erwin van der Koogh
Erwin van der Koogh
Founder, Linc

If you store PII and tell me it’s safe cause you encrypt data at rest, and in transit, you’re wrong. If your app or DB is compromised your reputation is in the 🗑.

@cipherstash - an end-to-end secure, searchable, performant database.

Their infra, your keys. Get on it.

Twitter profile picture of Matt Allen
Matt Allen
CEO, Tractor Ventures

Ready to protect your data?

Get started for free

No credit card required.