- What: Integration of CipherStash’s Data Level Access Control (DLAC) into Supabase.
- Key Feature: Field-level encryption that remains searchable without decrypting data first.
- Ease of Use: Instant setup via a single CLI command:
npx stash init --supabase. - Security: Zero-knowledge key management ensures neither Supabase nor CipherStash can access plaintext data.
Supabase and CipherStash have announced a major integration that brings searchable, field-level encryption to the Postgres-based platform, effectively ending the historical trade-off between data security and application performance. Available immediately, this integration allows developers to encrypt sensitive fields at the application layer while maintaining full database functionality, including complex queries, joins, and filters. By utilizing Data Level Access Control (DLAC), the partnership aims to simplify compliance for teams handling regulated data under frameworks like HIPAA, GDPR, and SOC 2.
Solving the "Two Bad Options" Dilemma
For years, developers working with sensitive information have faced a binary choice that compromised either security or usability. According to the announcement, teams usually choose between two suboptimal paths: traditional field-level encryption or skipping encryption altogether.
In traditional field-level encryption, encrypted values appear as random bytes to the database. This breaks essential Postgres features; WHERE clauses fail to match, indexes stop working, and joins become impossible. To search this data, applications are forced to pull every row, decrypt them in memory, and filter them—an approach that is both computationally expensive and difficult to scale.
Alternatively, many teams skip encryption to keep their applications fast, leaving plaintext sensitive data vulnerable. As Supabase and CipherStash note, this creates a massive liability where plaintext data is the first thing auditors examine following a breach. The new CipherStash integration provides a "third option" by extending access control down to individual encrypted values.
Technical Architecture: DLAC and Searchable Metadata
The core of this solution is CipherStash’s Data Level Access Control (DLAC). Unlike traditional access control, which operates at the row or table level, DLAC enforces policies at the moment of decryption rather than at the query layer.
The technology relies on Searchable Encrypted Metadata (SEM). When data is encrypted at the application layer, it is stored as a JSON payload containing both the ciphertext and the SEM. This metadata contains enough information for Postgres to filter, sort, and join the data, but lacks the necessary components to recover the original plaintext value.
When a query is executed, it is converted into SEM on its way to the database. Postgres then matches the query against the stored SEM and returns only the authorized ciphertexts. Every encrypted value carries its own policy determining who can read it and under what conditions, providing a granular level of security previously unavailable in standard Postgres deployments.
Zero-Knowledge Security and Key Management
A critical component of the integration is the ZeroKMS, CipherStash’s zero-knowledge key management service. The system ensures that encryption keys never leave the user's control. Each encrypted value is assigned a unique key that is derived on demand.
Because these keys are managed independently, neither CipherStash nor Supabase can access the plaintext data stored within the database. For organizations with strict data residency requirements, keys can be split across different regions to comply with high-level frameworks such as FedRAMP and IL4.
The integration is designed to be developer-friendly, requiring no changes to the existing database schema. It works natively with the Supabase SDK wrapper and supports popular tools including Supabase.js, Drizzle, and Prisma.
Impact on Developers and Regulated Industries
This integration changes the fundamental math for developers building in regulated sectors. By allowing encryption to happen transparently in the application layer, the "breach surface" is significantly reduced.
"For teams under HIPAA, GDPR, or SOC 2, you keep Postgres, Supabase, and search, with a shorter compliance review and a smaller breach surface," the announcement states. This means developers no longer have to build expensive workarounds to search through encrypted datasets, as WHERE clauses, fuzzy text matching, and ORDER BY commands continue to function as expected.
For edge cases where a standard SDK isn't suitable—such as background workers in other languages or analytics jobs—the integration includes the CipherStash Proxy. This proxy speaks the Postgres wire protocol and handles encryption and decryption transparently, allowing legacy SQL clients and admin tools to interact with encrypted data without requiring code changes.
What’s Next
The CipherStash integration is now available for all Supabase projects. Developers can begin by running the initialization command through the CLI to add DLAC to their existing TypeScript applications.
As the AI industry continues to grapple with data privacy concerns, the ability to feed encrypted, yet searchable, data into AI agents and applications is expected to become a standard requirement. The move positions Supabase and CipherStash as leaders in the push for "cryptographic access control," potentially setting a new benchmark for how sensitive data is handled in the cloud-native Postgres ecosystem.

