Supabase Announces Searchable Encryption with CipherStash Integration

Supabase just announced searchable encryption

5dandraper💬 0
Supabase Announces Searchable Encryption with CipherStash Integration

We are thrilled to introduce CipherStash integration for Supabase, enabling field-level encryption without sacrificing search capabilities. This solution allows you to encrypt sensitive data with unique keys per value while still running efficient queries, joins, and sorts. You maintain full control over your keys through ZeroKMS, ensuring that neither Supabase nor CipherStash can access your plaintext data, offering a secure third option between traditional encryption and skipping security entirely.

"Most teams that handle regulated data end up choosing between two bad options: use traditional field-level encryption that breaks search, or skip encryption and risk a massive breach."

HN discussion

  • CipherStash founder dandraper explains that searchable encryption uses a 2-party key derivation system to ensure SQL injection and RCE attacks cannot decrypt data without valid user credentials, limiting the blast radius even if the database is compromised.
  • Critics argue the technology is 'gold plated compliance security theatre' that fails to mitigate full shell compromises where attackers can read memory, while others counter that per-value key derivation renders such attacks largely inert.
  • The system achieves high-performance queries over millions of rows by using Searchable Encrypted Metadata (SEM) and encrypted bloom filters to leverage PostgreSQL indexes, decrypting only the small result set rather than scanning the entire table.
  • Unlike traditional Row-Level Security (RLS), this approach shifts access control to the data layer, allowing organizations to audit exactly which sensitive values were decrypted and by whom, proving to enterprise clients that internal staff cannot access protected data.

More from this day · 2026-07-19