James here, principal engineer at CipherStash. A few of you have (fairly) pointed out that the threat model is hard to find on our site, so rather than answer piecemeal let me lay the whole thing out. tekacs got most of the way there by reading between the lines, which is on us, not them.<p>The premise first: organisations shouldn't have to make a mutually exclusive choice between encrypting their data and being able to query it. That's the reason CipherStash exists, and everything below follows from it.<p>The threat model in one sentence: anyone with access to the database itself - dumps, backups, stolen credentials, SQLi, a hosting provider, an over-curious DBA - should learn as little as possible about sensitive values, and every legitimate decryption should require authentication and leave an audit record. We're explicitly not claiming to defend against an attacker who fully owns your running application with valid credentials. Nothing at this layer can, and anyone who tells you otherwise is selling snake oil.<p>The components:<p>* ZeroKMS: the key service. Root key material sits here, HSM-backed. Every encrypted value gets its own unique data key, but ZeroKMS never has it - keys are derived in your application from a seed we return plus a client key that never leaves your infrastructure. Two parties are needed to derive any key, so CipherStash cannot decrypt your data. Not "won't", can't.<p>* CTS: the token service. Exchanges tokens from your identity provider (Supabase Auth, Auth0, etc.) so decryption is bound to end-user identity rather than a service account. This is what makes the SQLi case boring: an attacker's session can only derive keys for data that user was allowed to read anyway.<p>* Auditing: because every decryption requires a key derivation, the key service sees every access - which value (by key ID, not content) and by whom. Query logs tell you what was asked; this tells you what was actually decrypted.<p>There are two ways to integrate, and you can run both:<p>* At the application layer, via the ORM adapters (Supabase, Prisma, Drizzle). Encryption and decryption happen inside your application process - the database only ever stores ciphertext and encrypted index terms, and plaintext exists nowhere outside your app. This is the tightest trust boundary and the mode the identity-bound stuff above is built for.<p>* At the SQL layer, via the Proxy - a Rust Postgres proxy that runs in <i>your</i> infrastructure. It encrypts and decrypts transparently, before results reach the client, so anything that speaks Postgres works unmodified: psql, BI tools, migration scripts, legacy apps you can't touch. Crucially, credentials through the Proxy are still tied to an individual identity, not a machine identity. There are two layers of auth in play: a machine credential identifies the Proxy instance itself, and the user's identity is tunnelled through it - so the engineer running psql derives keys as themselves, subject to the same access policy and audit trail as everything else. The trade-off between the two modes is where plaintext appears, not who's accountable. Escape hatch, not back door - a back door would be a bypass of the access controls - this isn't.<p>Key rotation is handled by the same re-encryption scheme that powers derivation: root key material can be rotated server-side without re-encrypting the data itself, because the stored ciphertexts never depended on a long-lived key sitting next to them.<p>On leakage, since that's the crux of the scepticism: yes, searchable encryption leaks. Equality indexes (HMAC) reveal when two values match, so frequency. Range indexes (ORE, Lewi-Wu 2016) reveal ordering. Text indexes (encrypted bloom filters) reveal probabilistic token membership. This isn't a bug we're hiding, it's the fundamental trade: for the database to use an index it has to compare <i>something</i>, and whatever it compares, it learns. The schemes that leak nothing (FHE, ORAM) are bullshit slow. What we've done is make the leakage bounded, documented, and opt-in per column, per query type. If the frequency or ordering of a column is itself sensitive - salaries being the classic example - don't index it. Encrypt it plainly and filter after decryption in the app. Most columns need no search at all, and the default is exactly that: no index, no leakage beyond ciphertext length.<p>The docs criticism lands and we're fixing it - the security architecture page (<a href="https://cipherstash.com/docs/stack/reference/security-architecture" rel="nofollow">https://cipherstash.com/docs/stack/reference/security-archit...</a>) now covers the primitives, key hierarchy and per-index leakage in one place, benchmarks are at <a href="https://github.com/cipherstash/benches" rel="nofollow">https://github.com/cipherstash/benches</a>, and the crypto that matters is open source and auditable: <a href="https://github.com/cipherstash/encrypt-query-language" rel="nofollow">https://github.com/cipherstash/encrypt-query-language</a>, <a href="https://github.com/cipherstash/ore.rs" rel="nofollow">https://github.com/cipherstash/ore.rs</a>, <a href="https://github.com/cipherstash/proxy" rel="nofollow">https://github.com/cipherstash/proxy</a>.
Something here seems to not fit together to me on the assumptions this is based on, because you say<p>> We're explicitly not claiming to defend against an attacker who fully owns your running application with valid credentials.<p>and dandraper says:<p>> I was CTO [...] and the engineers all had access to patient data. They needed DB access [...] but not access to the sensitive values
> [...]
> CipherStash solves the following:
> * Hide sensitive data from direct database accessors<p>So putting these together is this implying that a developer who wants to test things on a large data set is given access to the database directly, but not access to debug the application? Surely for example if they could load the app in a debugger, step through it, and execute arbitrary code (eg. if they are developing on it) that includes "fully running the application"? So are you saying that scenario is not secure?<p>If so then I'm struggling to see how a developer would use this realistically. As a dev how am I supposed to work on an application without access to be able to change the code (assuming here then that "change the code" means I can also add a statement that dumps a decrypted value to the log)?<p>If the security level we want is something like "devs need to be able to test migrations work on the actual data" then why would I use this instead of just NOT giving direct db access and having an audited environment spin up a db copy and container and just output the logs of whether the migration worked, without access to query the db directly. If I do that then nobody needs direct db access right? But then why would I need CipherStash?
This doesn’t have anything to do with being able to change the code. Devs can code and change things as they need. The database is also the same as it always is.<p>What CipherStash does is let you specify specific columns that you want to encrypt. The application (via our SDK), encrypts values for that field before it’s saved and optionally decrypts it again when it’s read. Decryption is performed when the user provides a valid credential (JWT).<p>This would allow you to give your devs full access to the production DB. You don’t have to give them permission to decrypt any or specific fields if they don’t need it.<p>So for your use case that would possibly save a lot of effort - no need to create a santized copy of the database (which in itself is fraught).<p>What James was referring to was the attacker threat model. Decryption happens in the application code. So an attacker who can steal encryption keys as well as be a valid JWT would be able to decrypt data for as long as the JWT is valid. That scenario is not something CipherStash can fully prevent.<p>What it does prevent is unauthorised access to data. Whether via the database directly or via the application.<p>What’s important here is that it’s the data itself that protected. If you move encrypted values from your prod DB to test or dev, the same rules apply. A user who can’t read “email” values that were encrypted in prod would still not be able to read those values if you moved them somewhere else.<p>Does that clarify things?
It's still not piecing together 100% for me, sorry I'm not trying to be obtuse or anything.<p>So maybe let me simplify my question: If I set up both a copy of a database with values encrypted by CipherStash, and an application server connected to it, and the application server has enough access to do queries on sensitive data (eg "WHERE sensitiveField = ?", pretend it needs that for a migration), and a developer has root access on the application box while it's running, and a gdb session connected to the app, can they see any sensitive data or no?<p>If they can't, then that's genuinely cool, and I probably need to look into the workings a bit more!