How do we secure data in use, not just data at rest or in transit?

Refined Question

We already have TLS everywhere and encrypted volumes, yet every query, dashboard, and admin session still handles plaintext. How do we protect data during the part of its lifecycle where it is actually used — and actually stolen?

Why This Matters

At-rest encryption protects against stolen disks; in-transit encryption protects against network interception. Neither helps when an attacker, insider, or over-permissioned tool simply queries the database, because the database decrypts everything for anyone allowed to connect.

Why CipherStash

CipherStash keeps values encrypted through storage, queries, and application flow. Searchable encryption means the database can match, range-scan, and sort without seeing plaintext; decryption is a separate, identity-gated, audited step.

This allows:

• Data to remain encrypted while being queried, filtered, and sorted
• The database, its operators, and its backups to handle only ciphertext
• Decryption to occur only for authorised identities, per value
• "Encryption in use" to be a deployed control rather than a roadmap item

Key Differentiators

• Searchable encryption — equality, range, and free-text queries over encrypted Postgres fields, with standard indexes
• Application-layer encryption — data is protected before it reaches the database
• Identity-aware decryption — every decryption is bound to the identity behind the request
• Per-value keys via ZeroKMS — keys are derived on demand, never stored
• Cryptographic auditability — a verifiable record of who decrypted what, and when