### Install and Setup CipherStash Proxy Source: https://raw.githubusercontent.com/cipherstash/proxy/refs/heads/main/README Guides users through cloning the repository, installing the CipherStash CLI, setting up proxy configuration, and starting the necessary Docker containers for local development. ```bash git clone https://github.com/cipherstash/proxy cd proxy # Install the CipherStash CLI ## macOS brew install cipherstash/tap/stash ## Linux ## Download from https://github.com/cipherstash/cli-releases/releases/latest # Setup your CipherStash configuration stash setup --proxy # ⬆️ this outputs creds to .env.proxy.docker # Start the containers docker compose up ``` -------------------------------- ### Setup CipherStash Proxy and Start Docker Source: https://github.com/cipherstash/proxy This snippet outlines the essential commands to clone the CipherStash proxy repository, install the CipherStash CLI using Homebrew for macOS or by downloading for Linux, configure the proxy, and start the Docker containers. ```shell # Clone the repo git clone https://github.com/cipherstash/proxy cd proxy # Install the CipherStash CLI ## macOS brew install cipherstash/tap/stash ## Linux ## Download from https://github.com/cipherstash/cli-releases/releases/latest # Setup your CipherStash configuration stash setup --proxy # ⬆️ this outputs creds to .env.proxy.docker # Start the containers docker compose up ``` -------------------------------- ### CipherStash CLI Setup Source: https://github.com/cipherstash/proxy Commands to install and set up the CipherStash CLI for local development. This includes installing the CLI via Homebrew (macOS) or downloading a release, and then configuring it for proxy usage, which outputs credentials to a .env file. ```shell # Clone the repo git clone https://github.com/cipherstash/proxy cd proxy # Install the CipherStash CLI # macOS brew install cipherstash/tap/stash # Linux # Download from https://github.com/cipherstash/cli-releases/releases/latest # Setup your CipherStash configuration stash setup --proxy # ⬆️ this outputs creds to .env.proxy.docker ``` -------------------------------- ### Docker Compose Setup and Execution Source: https://github.com/cipherstash/proxy Instructions to start the local development environment using Docker Compose. This command launches PostgreSQL and CipherStash Proxy, making them accessible on specified local ports. ```docker docker compose up ``` -------------------------------- ### Install Protect.js Source: https://raw.githubusercontent.com/cipherstash/protectjs/refs/heads/main/packages/protect/README Install the @cipherstash/protect package using your preferred package manager. ```bash npm install @cipherstash/protect # or yarn add @cipherstash/protect ``` -------------------------------- ### Install Protect.js Package Source: https://raw.githubusercontent.com/cipherstash/protectjs/refs/heads/main/packages/protect/README Installs the CipherStash Protect.js library using the pnpm package manager. This is the primary step to integrate Protect.js into your Node.js project. ```bash pnpm add @cipherstash/protect ``` -------------------------------- ### Install CipherStash CLI on macOS Source: https://raw.githubusercontent.com/cipherstash/protectjs/refs/heads/main/packages/protect/README Installs the CipherStash command-line interface (CLI) tool using Homebrew on macOS. The CLI is used for project setup and configuration. ```bash brew install cipherstash/tap/stash ``` -------------------------------- ### Configure CipherStash CLI Source: https://raw.githubusercontent.com/cipherstash/protectjs/refs/heads/main/packages/protect/README Runs the CipherStash CLI setup command to generate necessary configuration and secret files (`cipherstash.toml`, `cipherstash.secret.toml`). This command prompts for account creation if needed and sets up project credentials. ```bash stash setup ``` -------------------------------- ### Download EQL Install Script (Shell) Source: https://raw.githubusercontent.com/cipherstash/protectjs/refs/heads/main/packages/protect/README Provides shell commands to download the CipherStash Encrypt Query Language (EQL) installation script for PostgreSQL. It includes instructions for downloading the standard script and a specific version for Supabase users, which are necessary for enabling searchable encryption. ```sh # Download the latest EQL install script curl -sLo cipherstash-encrypt.sql https://github.com/cipherstash/encrypt-query-language/releases/latest/download/cipherstash-encrypt.sql # Using [Supabase](https://supabase.com/)? We ship an EQL release specifically for Supabase. # Download the latest EQL install script: curl -sLo cipherstash-encrypt-supabase.sql https://github.com/cipherstash/encrypt-query-language/releases/latest/download/cipherstash-encrypt-supabase.sql ``` -------------------------------- ### Install EQL Custom Types (Shell) Source: https://raw.githubusercontent.com/cipherstash/protectjs/refs/heads/main/packages/protect/README Demonstrates how to install the CipherStash Encrypt Query Language (EQL) custom types and functions into a PostgreSQL database. This is a prerequisite for enabling searchable encryption, using the downloaded `.sql` script via the `psql` command-line tool. ```sh # Run this command to install the custom types and functions: psql -f cipherstash-encrypt.sql # or with Supabase: psql -f cipherstash-encrypt-supabase.sql ``` -------------------------------- ### Protect.js Encryption Example Source: https://cipherstash.com/case-studies/journalia This example demonstrates the basic usage of CipherStash's Protect.js library for encrypting sensitive data. It shows how to import necessary modules, obtain a lock context, and encrypt a string with context locking. ```typescript import { protectClient, noteTable } from '@/protect'; import { getLockContext } from '@/auth'; const lockContext = await getLockContext(); const encryptedData = await protectClient .encrypt('Sensitivate data from consultation', noteTable) .withLockContext(lockContext); ``` -------------------------------- ### CipherStash Protect SDK - Encryption Example Source: https://context7_llms Illustrates how to use the CipherStash Protect SDK to encrypt sensitive fields within an application, leveraging claim-based access control and identity-bound encryption. ```javascript import { CipherStash } from '@cipherstash/protect'; const cs = new CipherStash({ // Configuration for CipherStash Protect SDK // e.g., apiKey, endpoint, etc. }); async function encryptSensitiveData(userId, sensitiveData) { const encryptedData = await cs.encrypt(sensitiveData, { claims: [`user:${userId}`], // Additional options like encryption context }); return encryptedData; } ``` -------------------------------- ### CipherStash Protect SDK - Decryption Example Source: https://context7_llms Demonstrates the process of decrypting data previously encrypted with CipherStash Protect, requiring the correct user identity and access policies. ```typescript import { CipherStash } from '@cipherstash/protect'; const cs = new CipherStash({ // Configuration for CipherStash Protect SDK }); async function decryptSensitiveData(userId, encryptedData) { const decryptedData = await cs.decrypt(encryptedData, { claims: [`user:${userId}`], // Additional options like decryption context }); return decryptedData; } ``` -------------------------------- ### CipherStash Proxy Overview Source: https://github.com/cipherstash/proxy Provides an overview of CipherStash Proxy, highlighting its purpose of transparent, searchable encryption for Postgres databases and its availability as Proxy V2. ```markdown # CipherStash Proxy Implement robust data security without sacrificing performance or usability Proxy V2 now available Read the announcement CipherStash Proxy provides transparent, *searchable* encryption for your existing Postgres database. CipherStash Proxy: * Automatically encrypts and decr ``` -------------------------------- ### Connect to Proxy and Insert/Read Data Source: https://raw.githubusercontent.com/cipherstash/proxy/refs/heads/main/README Demonstrates how to connect to the CipherStash Proxy using psql and perform basic SQL operations like inserting and selecting data. It also shows how to connect directly to the underlying PostgreSQL database to view the raw encrypted data. ```bash docker compose exec proxy psql postgres://cipherstash:3ncryp7@localhost:6432/cipherstash ``` ```sql INSERT INTO users (encrypted_email, encrypted_dob, encrypted_salary) VALUES ('alice@cipherstash.com', '1970-01-01', '100'); SELECT encrypted_email, encrypted_dob, encrypted_salary FROM users; ``` ```bash docker compose exec proxy psql postgres://cipherstash:3ncryp7@postgres:5432/cipherstash ``` ```sql SELECT encrypted_email, encrypted_dob, encrypted_salary FROM users; ``` -------------------------------- ### TypeScript Decrypting a Single Model Source: https://raw.githubusercontent.com/cipherstash/protectjs/refs/heads/main/packages/protect/README Provides an example of decrypting a single model's encrypted fields using Protect.js's `decryptModel` method. It includes error handling for decryption failures and logging the decrypted user data. ```typescript import { protectClient } from "./protect"; const decryptedResult = await protectClient.decryptModel(encryptedUser); if (decryptedResult.failure) { // Handle the failure console.log( "error when decrypting:", decryptedResult.failure.type, decryptedResult.failure.message ); } const decryptedUser = decryptedResult.data; console.log("decrypted user:", decryptedUser); ``` -------------------------------- ### Connect to CipherStash Proxy Source: https://github.com/cipherstash/proxy Connect to your CipherStash Proxy instance using psql to interact with the database and execute commands. ```bash docker compose exec proxy psql postgres://cipherstash:3ncryp7@localhost:6432/cipherstash ``` -------------------------------- ### Encrypt/Decrypt with Lock Context (TypeScript) Source: https://raw.githubusercontent.com/cipherstash/protectjs/refs/heads/main/packages/protect/README Demonstrates identity-aware encryption and decryption using CipherStash's bulk operations and lock contexts. It requires a user JWT to establish a lock context, ensuring only authorized users can decrypt data. The example shows encrypting and then decrypting a list of plaintexts with specific table and column context. ```typescript import { LockContext } from "@cipherstash/protect/identify"; const lc = new LockContext(); const lockContext = await lc.identify(userJwt); if (lockContext.failure) { // Handle the failure } const plaintexts = [ { id: "user1", plaintext: "alice@example.com" }, { id: "user2", plaintext: "bob@example.com" }, ]; // Encrypt with lock context const encryptedResult = await protectClient .bulkEncrypt(plaintexts, { column: users.email, table: users, }) .withLockContext(lockContext.data); // Decrypt with lock context const decryptedResult = await protectClient .bulkDecrypt(encryptedResult.data) .withLockContext(lockContext.data); ``` -------------------------------- ### Connecting to CipherStash Proxy via psql Source: https://github.com/cipherstash/proxy Command to establish an interactive psql session connected to the CipherStash Proxy. This allows executing SQL queries that are transparently handled by the proxy for encryption and decryption. ```shell docker compose exec proxy psql postgres://cipherstash:3ncryp7@localhost:6432/cipherstash ``` -------------------------------- ### Initialize Protect Client Source: https://raw.githubusercontent.com/cipherstash/protectjs/refs/heads/main/packages/protect/README Initializes the Protect client by importing the `protect` function and passing the defined schemas. The client is then used for encrypting and decrypting data. ```typescript import { protect, type ProtectClientConfig } from "@cipherstash/protect"; import { users, orders } from "./schema"; const config: ProtectClientConfig = { schemas: [users, orders], } // Pass all your tables to the protect function to initialize the client export const protectClient = await protect(config); ``` -------------------------------- ### CipherStash Proxy Project Overview Source: https://github.com/cipherstash/proxy Provides a high-level description of the CipherStash Proxy project's core functionality. It highlights the ability to encrypt and search sensitive data in PostgreSQL without requiring changes to the SQL database schema. ```APIDOC Project: cipherstash/proxy Description: Encrypt and search your sensitive data in PostgreSQL, with no SQL changes. Website: https://cipherstash.com ``` -------------------------------- ### Project Overview: cipherstash/proxy Source: https://github.com/cipherstash/proxy This snippet provides a high-level description of the cipherstash/proxy project. It highlights the core functionality of encrypting and searching sensitive data within PostgreSQL databases, emphasizing the benefit of not requiring any modifications to the existing SQL structure. ```APIDOC Project: Name: cipherstash/proxy Description: Encrypt and search your sensitive data in PostgreSQL, with no SQL changes. Key Features: - Sensitive data encryption - Secure data searching - PostgreSQL integration - No SQL schema modifications required ``` -------------------------------- ### Proxy Repository Link Source: https://cipherstash.com/products/zerokms Provides a link to the GitHub repository for the Proxy integration. It includes UI elements like a button and an SVG icon. ```javascript { "className": "text-sm font-medium leading-none text-white hover:text-light-purple content-center disabled:opacity-50 disabled:cursor-not-allowed w-full text-left flex items-center gap-2", "children": [ "Proxy repo", " ", [ "$", "svg", null, { "ref": "$undefined", "xmlns": "http://www.w3.org/2000/svg", "width": 24, "height": 24, "viewBox": "0 0 24 24", "fill": "none", "stroke": "currentColor", "strokeWidth": 2, "strokeLinecap": "round", "strokeLinejoin": "round", "className": "lucide lucide-arrow-right w-4 h-4", "children": [ [ "$", "path", "1ays0h", { "d": "M5 12h14" } ], [ "$", "path", "xquz4c", { "d": "m12 5 7 7-7 7" } ], "$undefined" ] } ] ], "disabled": "$undefined" } ``` -------------------------------- ### Next.js Client-Side Bootstrapping Source: https://cipherstash.com/products/zerokms This JavaScript snippet initializes and populates the `__next_f` array, which is part of the Next.js framework's internal client-side bootstrapping process. It's used for managing application state and loading modules during client-side rendering. ```javascript (self.__next_f=self.__next_f||[]).push([0])self.__next_f.push([1,"1:\"$Sreact.fragment\"\n2:I[7069,[\"8447\",\"static/chunks/fddab8e2-5f074bfbd72e1114.js\",\"2144\",\"static/chunks/2144-702784bda4635d67.js\",\"3289\",\"static/chunks/3289-d9750d15ffadfe54.js\",\"8030\",\"static/chunks/8030-4225af9d26556e9c.js\",\"5770\",\"static/chunks/5770-3f4c12d2dfce272f.js\",\"8725\",\"static/chunks/8725-d6d48cd29f601cfb.js\",\"7177\",\"static/chunks/app/layout-51285a52ebb7c655.js\"],\"\"]\n3:I[7030,[\"8447\",\"static/chunks/fddab8e2-5f074bfbd72e1114.js\",\"2144\",\"static/chunks/2144-702784bda4635d67.js\",\"3289\",\"static/chunks/3289-d9750d15ffadfe54.js\",\"8030\",\"static/chunks/8030-4225af9d26556e9c.js\",\"5770\",\"static/chunks/5770-3f4c12d2dfce272f.js\",\"8725\",\"static/chunks/8725-d6d48cd29f601cfb.js\",\"7177\",\"static/chunks/app/layout-51285a52ebb7c655.js\"],\"LinkedInTracking\"]\n4:I[6680,[\"8447\",\"static/chunks/fddab8e2-5f074bfbd72e1114.js\",\"2144\",\"static/chunks/2144-702784bda4635d67.js\",\"3289\",\"static/chunks/3289-d9750d15ffadfe54.js\",\"8030\",\"static/chunks/8030-4225af9d26556e9c.js\",\"5770\",\"static/chunks/5770-3f4c12d2dfce272f.js\",\"8725\",\"static/chunks/8725-d6d48cd29f601cfb.js\",\"7177\",\"static/chunks/app/layout-51285a52ebb7c655.js\"],\"CSPostHogProvider\"]\n5:I[3360,[\"8447\",\"static/chunks/fddab8e2-5f074bfbd72e1114.js\",\"2144\",\"static/chunks/2144-702784bda4635d67.js\",\"3289\",\"static/chunks/3289-d9750d15ffadfe54.js\",\"8030\",\"static/chunks/8030-4225af9d26556e9c.js\",\"5770\",\"static/chunks/5770-3f4c12d2dfce272f.js\",\"8725\",\"static/chunks/8725-d6d48cd29f601cfb.js\",\"7177\",\"static/chunks/app/layout-51285a52ebb7c655.js\"],\"Header\"]\n6:I[717,[],\"\"]\n7:I[1881,[],\"\"]\n9:I[3670,[\"8447\",\"static/chunks/fddab8e2-5f074bfbd72e1114.js\",\"2144\",\"static/chunks/2144-702784bda4635d67.js\",\"3289\",\"static/chunks/3289-d9750d15ffadfe54.js\",\"8030\",\"static/chunks/8030-4225af9d26556e9c.js\",\"5770\",\"static/chunks/5770-3f4c12d2dfce272f.js\",\"8725\",\"static/chunks/8725-d6d48cd29f601cfb.js\",\"7177\",\"static/chunks/app/layout-51285a52ebb7c655.js\"],\"Footer\"]\na:I[5588,[\"8447\",\"static/chunks/fddab8e2-5f074bfbd72e1114.js\",\"2144\",\"static/chunks/2144-702784bda4635d67.js\",\"3289\",\"static/chunks/3289-d9750d15f\"],\"\"])self.__next_f.push([1,"fadfe54.js\",\"8030\",\"static/chunks/8030-4225af9d26556e9c.js\",\"5770\",\"static/chunks/5770-3f4c12d2dfce272f.js\",\"8725\",\"static/chunks/8725-d6d48cd29f601cfb.js\",\"7177\",\"static/chunks/app/layout-51285a52ebb7c655.js\"],\"SpeedInsights\"]\nb:I[8912,[\"8447\",\"static/chunks/fddab8e2-5f074bfbd72e1114.js\",\"2144\",\"static/chunks/2144-702784bda4635d67.js\",\"3289\",\"static/chunks/3289-d9750d15ffadfe54.js\",\"8030\",\"static/chunks/8030-4225af9d26556e9c.js\",\"5770\",\"static/chunks/5770-3f4c12d2dfce272f.js\",\"8725\",\"static/chunks/8725-d6d48cd29f601cfb.js\",\"7177\",\"static/chunks/app/layout-51285a52ebb7c655.js\"],\"IntercomComponent\"]\nc:\"$Sreact.suspense\"\nd:I[555,[\"8447\",\"static/chunks/fddab8e2-5f074bfbd72e1114.js\",\"2144\",\"static/chunks/2144-702784bda4635d67.js\",\"3289\",\"static/chunks/3289-d9750d15ffadfe54.js\",\"8030\",\"static/chunks/8030-4225af9d26556e9c.js\",\"5770\",\"static/chunks/5770-3f4c12d2dfce272f.js\",\"8725\",\"static/chunks/8725-d6d48cd29f601cfb.js\",\"7177\",\"static/chunks/app/layout-51285a52ebb7c655.js\"],\"default\"]\ne:I[5428,[\"8447\",\"static/chunks/fddab8e2-5f074bfbd72e1114.js\",\"2144\",\"static/chunks/2144-702784bda4635d67.js\",\"3289\",\"static/chunks/3289-d9750d15ffadfe54.js\",\"8030\",\"static/chunks/8030-4225af9d26556e9c.js\",\"5770\",\"static/chunks/5770-3f4c12d2dfce272f.js\",\"8725\",\"static/chunks/8725-d6d48cd29f601cfb.js\",\"7177\",\"static/chunks/app/layout-51285a52ebb7c655.js\"],\"GoogleAnalytics\"]\nf:I[2144,[\"2144\",\"static/chunks/2144-702784bda4635d67.js\",\"3289\",\"static/chunks/3289-d9750d15ffadfe54.js\",\"5770\",\"static/chunks/5770-3f4c12d2dfce272f.js\",\"8823\",\"static/chunks/8823-703f201dd9105723.js\",\"6583\",\"static/chunks/app/products/zerokms/page-d0228a07be086761.js\"],\"\"]\n10:I[3289,[\"2144\",\"static/chunks/2144-702784bda4635d67.js\",\"3289\",\"static/chunks/3289-d9750d15ffadfe54.js\",\"5770\",\"static/chunks/5770-3f4c12d2dfce272f.js\",\"8823\",\"static/chunks/8823-703f201dd9105723.js\",\"6583\",\"chun ``` -------------------------------- ### Connect to Proxy via Docker Source: https://github.com/cipherstash/proxy This command allows you to connect to the CipherStash proxy using Docker Compose. It establishes a psql session to the specified database, enabling interaction with encrypted data. ```shell docker compose exec proxy psql postgres://cipherstash:3ncryp7@localhost:6432/cipherstash ``` -------------------------------- ### Connect to CipherStash Proxy Database Source: https://github.com/cipherstash/proxy Establishes an interactive session with the database via CipherStash Proxy using Docker. This command connects to the 'cipherstash' database on localhost. ```shell docker compose exec proxy psql postgres://cipherstash:3ncryp7@localhost:6432/cipherstash ``` -------------------------------- ### Tooltip Styling and Behavior Source: https://github.com/cipherstash/proxy Defines CSS rules for creating and managing tooltips, including their appearance, positioning, and animation. It covers various states like hover, active, and focus, as well as multiline and alignment variations. ```css .gMOVLe[data-size="medium"]{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;min-width:0;}/ /* CSS for general layout and flex properties */ .gMOVLe[data-size="medium"] svg{color:var(--fgColor-muted,var(--color-fg-muted,#656d76));}/ .gMOVLe[data-size="medium"] > span{width:inherit;}/ .gUkoLg{-webkit-box-pack:center;-webkit-justify-content:center;-ms-flex-pack:center;justify-content:center;}/ .bZBlpz{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;width:100%;}/ .lhTYNA{margin-right:4px;color:var(--fgColor-muted,var(--color-fg-muted,#656d76));}/ .ffLUq{font-size:14px;min-width:0;overflow:hidden;text-overflow:ellipsis;white-space:nowrap;}/ .bmcJak{min-width:0;}/ .hUCRAk{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:column;-ms-flex-direction:column;flex-direction:column;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}/ /* Tooltip Base Styling */ data-styled.g1[id="Box-sc-g0xbh4-0"]{content:"gMOVLe,gUkoLg,bZBlpz,lhTYNA,ffLUq,bmcJak,hUCRAk,";}/ .hWlpPn{position:relative;display:inline-block;}/ .hWlpPn::after{position:absolute;z-index:1000000;display:none;padding:0.5em 0.75em;font:normal normal 11px/1.5 -apple-system,BlinkMacSystemFont,"Segoe UI","Noto Sans",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";-webkit-font-smoothing:subpixel-antialiased;color:var(--tooltip-fgColor,var(--fgColor-onEmphasis,var(--color-fg-on-emphasis,#ffffff)));text-align:center;-webkit-text-decoration:none;text-decoration:none;text-shadow:none;text-transform:none;-webkit-letter-spacing:normal;-moz-letter-spacing:normal;-ms-letter-spacing:normal;letter-spacing:normal;word-wrap:break-word;white-space:pre;pointer-events:none;content:attr(aria-label);background:var(--tooltip-bgColor,var(--bgColor-emphasis,var(--color-neutral-emphasis-plus,#24292f)));border-radius:6px;opacity:0;}/ /* Tooltip Animation */ @-webkit-keyframes tooltip-appear{from{opacity:0;}to{opacity:1;}}/ @keyframes tooltip-appear{from{opacity:0;}to{opacity:1;}}/ .hWlpPn:hover::after,.hWlpPn:active::after,.hWlpPn:focus::after,.hWlpPn:focus-within::after{display:inline-block;-webkit-text-decoration:none;text-decoration:none;-webkit-animation-name:tooltip-appear;animation-name:tooltip-appear;-webkit-animation-duration:0.1s;animation-duration:0.1s;-webkit-animation-fill-mode:forwards;animation-fill-mode:forwards;-webkit-animation-timing-function:ease-in;animation-timing-function:ease-in;-webkit-animation-delay:0s;animation-delay:0s;}/ .hWlpPn.tooltipped-no-delay:hover::after,.hWlpPn.tooltipped-no-delay:active::after,.hWlpPn.tooltipped-no-delay:focus::after,.hWlpPn.tooltipped-no-delay:focus-within::after{-webkit-animation-delay:0s;animation-delay:0s;}/ .hWlpPn.tooltipped-multiline:hover::after,.hWlpPn.tooltipped-multiline:active::after,.hWlpPn.tooltipped-multiline:focus::after,.hWlpPn.tooltipped-multiline:focus-within::after{display:table-cell;}/ /* Tooltip Positioning */ .hWlpPn.tooltipped-s::after,.hWlpPn.tooltipped-se::after,.hWlpPn.tooltipped-sw::after{top:100%;right:50%;margin-top:6px;}/ .hWlpPn.tooltipped-se::after{right:auto;left:50%;margin-left:-16px;}/ .hWlpPn.tooltipped-sw::after{margin-right:-16px;}/ .hWlpPn.tooltipped-n::after,.hWlpPn.tooltipped-ne::after,.hWlpPn.tooltipped-nw::after{right:50%;bottom:100%;margin-bottom:6px;}/ .hWlpPn.tooltipped-ne::after{right:auto;left:50%;margin-left:-16px;}/ .hWlpPn.tooltipped-nw::after{margin-right:-16px;}/ .hWlpPn.tooltipped-s::after,.hWlpPn.tooltipped-n::after{-webkit-transform:translateX(50%);-ms-transform:translateX(50%);transform:translateX(50%);}/ .hWlpPn.tooltipped-w::after{right:100%;bottom:50%;margin-right:6px;-webkit-transform:translateY(50%);-ms-transform:translateY(50%);transform:translateY(50%);}/ .hWlpPn.tooltipped-e::after{bottom:50%;left:100%;margin-left:6px;-webkit-transform:translateY(50%);-ms-transform:translateY(50%);transform:translateY(50%);}/ /* Multiline Tooltip Specifics */ .hWlpPn.tooltipped-multiline::after{width:-webkit-max-content;width:-moz-max-content;width:max-content;max-width:250px;word-wrap:break-word;white-space:pre-line;border-collapse:separate;}/ .hWlpPn.tooltipped-multiline.tooltipped-s::after,.hWlpPn.tooltipped-multiline.tooltipped-n::after{right:auto;left:50%;-webkit-transform:translateX(-50%);-ms-transform:translateX(-50%);transform:translateX(-50%);}/ .hWlpPn.tooltipped-multiline.tooltipped-w::after,.hWlpPn.tooltipped-multiline.tooltipped-e::after{right:100%;}/ /* Alignment Adjustments */ .hWlpPn.tooltipped-align-right-2::after{right:0;margin-right:0;}/ .hWlpPn.tooltipped-align-left-2::after{left:0;margin-left:0;}/ data-styled.g4[id="Tooltip__TooltipBase-sc-17tf59c-0"]{content:"hWlpPn,";}/ ``` -------------------------------- ### Connect to Proxy Database Source: https://github.com/cipherstash/proxy This command connects to the PostgreSQL database through the CipherStash proxy. It uses `docker compose exec` to run the `psql` client within the proxy container, specifying the connection string with user, password, host, and database name. ```shell docker compose exec proxy psql postgres://cipherstash:3ncryp7@localhost:6432/cipherstash ``` -------------------------------- ### CipherStash Proxy Implementation for BNDRY Source: https://cipherstash.com/case-studies/bndry Details BNDRY's technical stack and implementation strategy for CipherStash Proxy. This includes their DevOps practices, infrastructure as code, Kubernetes deployment, database usage, and frontend/backend technologies. ```APIDOC BNDRY Technical Stack & CipherStash Proxy Implementation: - **DevOps Focus**: Strongly DevOps-focused team. - **Infrastructure as Code**: Utilizes infrastructure as code for composable architecture. - **Deployment Environment**: Kubernetes cluster, specifically Amazon EKS. - **Database**: PostgreSQL with row-level security (RLS) access control. - **Backend**: Go. - **Frontend**: Vue.js. - **CipherStash Proxy Integration**: Deployed as a service within the Kubernetes cluster. - **Implementation Strategy**: - Initial validation without encryption. - Incremental encryption of database columns to build confidence. - Transition to transparent Proxy solution with no application code changes required. - **Key Module Used**: CipherStash Protect module for Go was used for initial validation. ``` -------------------------------- ### Insert and Query Encrypted Data in SQL Source: https://github.com/cipherstash/proxy Demonstrates inserting records with encrypted fields (email, DOB, salary) and querying based on these encrypted fields. The comparison in the WHERE clause is performed on encrypted data, showcasing CipherStash's transparent encryption capabilities. ```sql INSERT INTO users (encrypted_email, encrypted_dob, encrypted_salary) VALUES ('bob@cipherstash.com', '1991-03-06', '10'); INSERT INTO users (encrypted_email, encrypted_dob, encrypted_salary) VALUES ('carol@cipherstash.com', '2005-12-30', '1000'); SELECT encrypted_email, encrypted_dob, encrypted_salary FROM users WHERE encrypted_salary <= 100; SELECT encrypted_email, encrypted_dob, encrypted_salary FROM users WHERE encrypted_email LIKE 'alice'; ``` -------------------------------- ### Connecting Directly to PostgreSQL Source: https://github.com/cipherstash/proxy Command to establish an interactive psql session connected directly to the underlying PostgreSQL database. This session shows the raw, encrypted data as stored in the database, bypassing the CipherStash Proxy's decryption layer. ```shell docker compose exec proxy psql postgres://cipherstash:3ncryp7@postgres:5432/cipherstash ``` -------------------------------- ### Insert and Query Encrypted Data Source: https://github.com/cipherstash/proxy Demonstrates inserting records with encrypted fields and querying them using WHERE clauses on encrypted data. The Proxy transparently encrypts data on insert and handles encrypted comparisons on select. ```sql INSERT INTO users (encrypted_email, encrypted_dob, encrypted_salary) VALUES ('bob@cipherstash.com', '1991-03-06', '10'); INSERT INTO users (encrypted_email, encrypted_dob, encrypted_salary) VALUES ('carol@cipherstash.com', '2005-12-30', '1000'); SELECT encrypted_email, encrypted_dob, encrypted_salary FROM users WHERE encrypted_salary <= 100; ``` ```sql SELECT encrypted_email, encrypted_dob, encrypted_salary FROM users WHERE encrypted_email LIKE 'alice'; ``` ```sql SELECT encrypted_email, encrypted_dob, encrypted_salary FROM users WHERE encrypted_dob > '2000-01-01'; ``` -------------------------------- ### Connect to Proxy psql Source: https://raw.githubusercontent.com/cipherstash/proxy/refs/heads/main/README Connects to the PostgreSQL database via the CipherStash Proxy using Docker Compose. This command allows interaction with the database through the proxy's encrypted interface, enabling secure query execution. ```bash docker compose exec proxy psql postgres://cipherstash:3ncryp7@localhost:6432/cipherstash ``` -------------------------------- ### ZeroKMS Integration with TypeScript Source: https://cipherstash.com/products/zerokms Illustrates the integration capabilities of ZeroKMS with modern application development, specifically mentioning support for TypeScript SDKs. ```TypeScript // Example of integrating ZeroKMS SDK in a TypeScript application // Assuming an SDK is available: // import { ZeroKMSClient } from '@cipherstash/zerokms-sdk'; // async function encryptDataWithZeroKMS(recordId: string, data: any): Promise { // const client = new ZeroKMSClient({ // // Configuration options like endpoint, credentials, etc. // }); // // Derive a unique key for the record // const encryptionKey = await client.deriveKey({ recordId }); // // Encrypt the data using the derived key (e.g., AES-GCM) // const encryptedData = await client.encrypt({ key: encryptionKey, plaintext: JSON.stringify(data) }); // // Store encryptedData and potentially metadata associated with the recordId // return encryptedData; // } // async function decryptDataWithZeroKMS(recordId: string, encryptedData: string): Promise { // const client = new ZeroKMSClient({ // // Configuration options // }); // // Derive the same unique key for the record, requiring identity verification // const decryptionKey = await client.deriveKey({ recordId }); // // Decrypt the data // const decryptedPlaintext = await client.decrypt({ key: decryptionKey, ciphertext: encryptedData }); // return JSON.parse(decryptedPlaintext); // } ``` -------------------------------- ### Connect Directly to PostgreSQL Database Source: https://github.com/cipherstash/proxy Establishes an interactive session directly with the PostgreSQL database container. This is used to view the raw, encrypted data stored on disk, contrasting with the proxy view. ```shell docker compose exec proxy psql postgres://cipherstash:3ncryp7@postgres:5432/cipherstash ``` -------------------------------- ### Insert and Select Data via CipherStash Proxy Source: https://github.com/cipherstash/proxy Demonstrates inserting a record into the 'users' table and then selecting the same record back. The data appears unencrypted through the proxy, as CipherStash handles transparent encryption/decryption. ```sql INSERT INTO users (encrypted_email, encrypted_dob, encrypted_salary) VALUES ('alice@cipherstash.com', '1970-01-01', '100'); SELECT encrypted_email, encrypted_dob, encrypted_salary FROM users; ``` -------------------------------- ### SQL Operations with Encrypted Data via Proxy Source: https://github.com/cipherstash/proxy Demonstrates basic SQL operations (INSERT, SELECT, UPDATE) performed through the CipherStash Proxy. The proxy handles encryption/decryption transparently, allowing standard SQL syntax for operations on sensitive fields like email, date of birth, and salary. ```sql -- Insert data via Proxy INSERT INTO users (encrypted_email, encrypted_dob, encrypted_salary) VALUES ('alice@cipherstash.com', '1970-01-01', '100'); -- Select data via Proxy (returns decrypted data) SELECT encrypted_email, encrypted_dob, encrypted_salary FROM users; -- Update data via Proxy (WHERE clause operates on encrypted data) UPDATE users SET encrypted_dob = '1978-02-01' WHERE encrypted_email = 'alice@cipherstash.com'; -- Select specific encrypted field via Proxy (returns decrypted data) SELECT encrypted_dob FROM users WHERE encrypted_email = 'alice@cipherstash.com'; ``` -------------------------------- ### Insert and Search Encrypted Data by Salary Source: https://raw.githubusercontent.com/cipherstash/proxy/refs/heads/main/README Inserts new user records with encrypted salary data and then queries them using a salary range (<= 100). This showcases searching encrypted numerical data, demonstrating that range comparisons work on encrypted values. ```sql INSERT INTO users (encrypted_email, encrypted_dob, encrypted_salary) VALUES ('bob@cipherstash.com', '1991-03-06', '10'); INSERT INTO users (encrypted_email, encrypted_dob, encrypted_salary) VALUES ('carol@cipherstash.com', '2005-12-30', '1000'); SELECT encrypted_email, encrypted_dob, encrypted_salary FROM users WHERE encrypted_salary <= 100; ``` -------------------------------- ### Search Encrypted Data by Email (LIKE) Source: https://raw.githubusercontent.com/cipherstash/proxy/refs/heads/main/README Queries user data using a LIKE clause on an encrypted email address. This demonstrates that pattern matching operations are also supported on encrypted string data through the proxy. ```sql SELECT encrypted_email, encrypted_dob, encrypted_salary FROM users WHERE encrypted_email LIKE 'alice'; ```