§ 00·0x00/STACK / ENCRYPTION
Searchable field-level encryption.
Queryable encryption for Postgres. Range, exact-match, and free-text search over encrypted fields, with sub-millisecond overhead on your existing indexes. No new database, no migration, no superuser access.
MongoDB ships Queryable Encryption for MongoDB. CipherStash is queryable encryption for Postgres.
§ 01·0x01/CAPABILITIES / WHAT YOU GET
Every query you already write.
→ 01
Range queries
Filter on encrypted timestamps, integers, and dates. `WHERE dob BETWEEN $start AND $end` over ciphertext, backed by an existing Postgres index.
→ 02
Exact match
Equality checks across encrypted columns. Joins, grouping, and unique constraints all behave as if the data were plaintext.
→ 03
Free-text fuzzy search
Tokenized, prefix, and fuzzy search over ciphertext. Find records without ever decrypting the index.
→ 04
JSON queries
Query encrypted JSONB fields. Drill into nested paths and apply operators without a decryption step in the query pipeline.
→ 05
Quantum safe
Built on cryptographic constructions that remain secure under a quantum adversary. Ciphertext today, ciphertext tomorrow.
→ 06
100,000x faster than FHE
Fully homomorphic encryption is theoretically attractive and practically unshippable. Searchable encryption is five orders of magnitude faster and deploys to production.
§ 02·0x02/EQL / CUSTOM POSTGRES TYPES
Custom Postgres types shape how encrypted search works.
EQL (Encrypt Query Language) is a set of custom Postgres types and operators that let your database index and compare ciphertext. Encrypted columns are real columns with real indexes. No proxy, no shadow tables, no separate search service.
You choose per field which queries to enable: equality, range, or text search. A field with no indexes discloses nothing. On top sits a TypeScript-first SDK, built to be legible to AI coding agents.
§ 03·0x03/INTEGRATIONS / YOUR STACK
Works with every Postgres provider.
Neon, Supabase, PlanetScale, Crunchy Data, Vercel Postgres, Nile, Tiger Data. If you can `pg_connect` to it, CipherStash Encryption runs on it.
Drizzle ORM
Encrypted column types and query operators native to Drizzle. Type-safe end to end.
READ DOCS →Supabase
Transparent encrypt/decrypt with the encryptedSupabase wrapper. Drop-in replacement.
READ DOCS →DynamoDB
Encrypt items before writes, decrypt after reads via the encryptedDynamoDB helper.
READ DOCS →CipherStash Proxy
Transparent encryption for existing Postgres apps with zero code changes at the application layer.
READ DOCS →§ 04·0x04/BENCHMARKS / NUMBERS
The performance.
<1ms
Query overhead
1B+
Operations in production
100,000x
Faster than FHE
∞
Quantum safe
§ 05·0x05/SHIP / BUILD
Encrypt your first field in 15 minutes.
Install @cipherstash/stack, define an encrypted column, and run your existing query. The field is ciphertext at rest, in transit, and in use. The query still finds it.