CipherStash Documentation
Data Level Access Control for Postgres. Searchable field-level encryption, identity-bound keys, cryptographic audit trails.
CipherStash is Data Level Access Control for Postgres. Encrypt fields, query ciphertext, bind keys to identities, and audit every access. Zero-knowledge by design.
npx stash initOne command. Device-based authentication, no environment variables for local dev. See the Getting started guide.
Choose your path
Two integration paths. Same key hierarchy, same encryption, same audit trail.
| TypeScript SDK | CipherStash Proxy | |
|---|---|---|
| How it works | Encryption SDK and CLI available as an NPM package | Postgres Encryption - Postgres wire protocol Proxy built on top of the Encryption SDK to transparently encrypt data in Postgres |
| Best for | Teams moving quickly and building TypeScript apps | More complex app architectures or non TypeScript applications using Postgres |
| Language | TypeScript / JavaScript (Node.js, Deno, Bun) | Any language (connects via PostgreSQL wire protocol) |
| Setup | npx stash init | Docker container or binary |
Most teams start with the SDK for the best developer experience.
Get started
Getting started
Authenticate, set up your project, and start encrypting in under 5 minutes.
Encryption SDK
Field-level encryption with searchable queries in your TypeScript application.
CipherStash Proxy
Drop-in SQL proxy for PostgreSQL. Encrypt data with zero code changes.
Secrets (coming soon)
Store and retrieve end-to-end encrypted secrets via SDK or CLI.
Products
Encryption SDK
Schema definition, encrypt/decrypt, searchable encryption, Drizzle, Supabase, and DynamoDB integrations.
CipherStash Proxy
Transparent PostgreSQL encryption proxy with zero application code changes.
Secrets (coming soon)
End-to-end encrypted secret storage with environment isolation.
ZeroKMS
Key management, keysets, clients, and access keys — the foundation that powers everything.
Operations
Going to production
Transition from device-based auth to environment variables for CI/CD and hosting.
Team onboarding
Invite developers with per-person device-based access.
Planning guide
Evaluate your security posture and choose an integration path.
How it fits together
Everything builds on ZeroKMS and its core primitive, the Keyset. A keyset is the unit of isolation.
- Encryption uses keysets for tenant isolation. One keyset per customer. Provable cryptographic separation.
- Secrets (coming soon) uses keysets for environment isolation. Production, staging, and development secrets can never cross boundaries.
- Proxy encrypts data transparently via PostgreSQL, backed by the same ZeroKMS key hierarchy.