2 min read

Supabase adds searchable field-level encryption

Supabase now integrates with CipherStash, letting teams encrypt sensitive fields while still running searches, joins, and indexes on Postgres data.

Image: Hacker News

Supabase has launched an integration with CipherStash that brings searchable field-level encryption to Supabase projects without requiring schema changes. The setup is a single CLI command: npx stash init --supabase.

CipherStash is a Data Level Access Control (DLAC) platform for applications built on Postgres. Instead of stopping at row- or table-level permissions, DLAC applies policies to individual encrypted values. Those policies are enforced at decryption time rather than in the query layer.

That addresses a common tradeoff for teams handling regulated data. Traditional field-level encryption turns values into random bytes from Postgres’s point of view, which breaks WHERE email = ? queries, disables useful indexing, and makes joins fail unless applications pull rows back and decrypt them in memory. The alternative is leaving sensitive data in plaintext.

CipherStash positions itself as a third option. Data is encrypted in the application before it reaches the database, with a unique key per value. Each encrypted field is stored as a single JSON payload containing ciphertext and Searchable Encrypted Metadata (SEM). According to the company, that gives Postgres enough information to filter, sort, and join encrypted data without exposing the original value.

The integration works through an encrypted Supabase SDK wrapper and supports Supabase.js, Drizzle, and Prisma Next in TypeScript applications. CipherStash says encrypted columns continue to support:

Recommended reading

SQLite handled 315M daily requests on a laptop

  • WHERE clauses
  • fuzzy text matching
  • ORDER BY
  • JSON queries

Keys are managed through ZeroKMS, CipherStash’s zero-knowledge key management service. The company says keys never leave customer control, so neither CipherStash nor Supabase can access plaintext data. Keys can also be split across regions to satisfy residency requirements tied to frameworks including FedRAMP and IL4.

For cases where an SDK wrapper is not practical—such as analytics jobs, admin tools, background workers in other languages, or direct database access—CipherStash Proxy can sit in front of Postgres and handle encryption and decryption over the Postgres wire protocol without code changes.

CipherStash is pitching the integration at teams working under HIPAA, GDPR, and SOC 2, where searchable encryption could reduce both compliance overhead and breach exposure.

Marcus Vance

Enterprise Editor

Marcus follows the money. He covers enterprise software, cloud architecture, and the tectonic shifts in Big Tech strategy. He translates dense earnings calls and complex M&A activity into actionable insights about where the industry is actually heading. If a tech giant makes a silent pivot, Marcus is usually the first to notice.

via Hacker News

// Keep reading