Protect.js lets you encrypt every value with its own key—without sacrificing performance or usability. Encryption happens in your app; ciphertext is stored in your database.
Per‑value unique keys are powered by CipherStash ZeroKMS bulk key operations, backed by a root key in AWS KMS.
Visit the documentation below to get started with Protect.js and explore related products.
Visit the documentation for our products to get started:
- Protect.js - End-to-end field level encryption for JavaScript/TypeScript apps with zero‑knowledge key management
- Stash - Secrets Manager - Store and manage secrets like API keys and database credentials with zero-trust encryption
- Protect.js for Drizzle ORM - Seamlessly integrate Protect.js with Drizzle ORM and PostgreSQL
Protect.js protects data using industry-standard AES encryption and ZeroKMS for bulk encryption and decryption operations and is up to 14x faster than AWS KMS or Hashicorp Vault. This enables every encrypted value, in every column, in every row in your database to have a unique key, without sacrificing performance.
Features:
- Bulk encryption and decryption: Encrypt and decrypt thousands of records at once, while using a unique key for every value
- Identity-aware encryption: Lock down access to sensitive data by requiring a valid JWT to perform decryption
- Searchable encryption: Search encrypted data in PostgreSQL with equality, range, and text search
- TypeScript support: Strongly typed with TypeScript interfaces and types
- Audit trail: Every decryption event is logged via ZeroKMS Access Intelligence to help you prove compliance
Use cases:
- Trusted data access: Ensure only your end-users can access their sensitive data
- Meet compliance requirements faster: Meet stringent 2026 privacy and security requirements
- Reduce the blast radius of data breaches: Limit the impact of exploited vulnerabilities to only the data your end-users can decrypt
Important
You need to opt-out of bundling when using Protect.js. Protect.js uses Node.js specific features and requires the use of the native Node.js require. See the documentation for bundling configuration guides.
The Protect.js community can be found on Discord where you can ask questions, voice ideas, and share your projects with other people.
Do note that our Code of Conduct applies to all Protect.js community channels. Users are highly encouraged to read and adhere to it to avoid repercussions.
Contributions to Protect.js are welcome and highly appreciated. However, before you jump right into it, we would like you to review our Contribution Guidelines to make sure you have a smooth experience contributing to Protect.js.
If you believe you have found a security vulnerability in Protect.js, we encourage you to responsibly disclose this and NOT open a public issue.
Please email security@cipherstash.com with details about the vulnerability. We will review your report and provide further instructions for submitting your report.
Protect.js is MIT licensed.