- Encryption: Field-level encryption for TypeScript apps with searchable encrypted queries, zero-knowledge key management, and first-class ORM support.
- Secrets: Zero-trust secrets management with end-to-end encryption. Plaintext never leaves your application.
Encryption
import { Encryption, encryptedTable, encryptedColumn } from "@cipherstash/stack";
// 1. Define your schema
const users = encryptedTable("users", {
email: encryptedColumn("email").equality().freeTextSearch(),
});
// 2. Initialize the client
const client = await Encryption({ schemas: [users] });
// 3. Encrypt
const encryptResult = await client.encrypt("secret@example.com", {
column: users.email,
table: users,
});
if (encryptResult.failure) {
// Handle errors your way
}
// 4. Decrypt
const decryptResult = await client.decrypt(encryptResult.data);
if (decryptResult.failure) {
// Handle errors your way
}
// decryptResult.data => "secret@example.com"Secrets
import { Secrets } from "@cipherstash/stack";
// 1. Initialize the secrets client
const secrets = new Secrets({ environment: "production" });
// 2. Set a secret with the SDK or the CLI
await secrets.set("DATABASE_URL", "postgres://user:pass@host:5432/db");
// 3. Consume the secret in your application
const secret = await secrets.get("DATABASE_URL");npm install @cipherstash/stack
# or
yarn add @cipherstash/stack
# or
pnpm add @cipherstash/stack
# or
bun add @cipherstash/stackImportant
You need to opt out of bundling when using @cipherstash/stack.
It uses Node.js specific features and requires the native Node.js require.
Read more about bundling in the documentation.
- Searchable encryption: query encrypted data with equality, free text search, range, and JSONB queries.
- Type-safe schema: define encrypted tables and columns with
encryptedTable/encryptedColumn - Model & bulk operations: encrypt and decrypt entire objects or batches with
encryptModel/bulkEncryptModels. - Identity-aware encryption: bind encryption to user identity with lock contexts for policy-based access control.
- Secrets management: store and retrieve encrypted secrets via the Secrets SDK and CLI.
- Trusted data access: ensure only your end-users can access their sensitive data using identity-bound encryption
- Sensitive config management: store API keys and database credentials with zero-trust encryption and full audit trails
- Reduce breach impact: limit the blast radius of exploited vulnerabilities to only the data the affected user can decrypt
Contributions are welcome and highly appreciated. However, before you jump right into it, we would like you to review our Contribution Guidelines to make sure you have a smooth experience contributing.
For our full security policy, supported versions, and contributor guidelines, see SECURITY.md.
This project is MIT licensed.