Merge pull request #212 from cipherstash/keyset-config

calvinbrewer · web-flow · commit 231b5dfca104 · 2025-11-13T07:06:34.000-07:00
feat: support selecting keysets by identifier
diff --git a/.changeset/large-masks-wink.md b/.changeset/large-masks-wink.md
@@ -0,0 +1,5 @@
+---
+"@cipherstash/protect": minor
+---
+
+Added support for multi-tenant encryption with configurable keysets.
diff --git a/README.md b/README.md
@@ -112,6 +112,7 @@ const decrypted = await client.decrypt(encrypted.data);
 - [Identity-aware encryption](#identity-aware-encryption)
 - [Supported data types](#supported-data-types)
 - [Searchable encryption](#searchable-encryption)
+- [Multi-tenant encryption](#multi-tenant-encryption)
 - [Logging](#logging)
 - [CipherStash Client](#cipherstash-client)
 - [Example applications](#example-applications)
@@ -1043,9 +1044,43 @@ The table below summarizes these cases.
 
 Read more about [searching encrypted data](./docs/concepts/searchable-encryption.md) in the docs.
 
+## Multi-tenant encryption
+
+Protect.js supports multi-tenant encryption by using keysets.
+Each keyset is cryptographically isolated from other keysets which esentially means that each tenant has their own unique keyspace.
+If you are using a multi-tenant application, you can use keysets to encrypt data for each tenant creating a strong security boundary.
+
+In the [CipherStash Dashboard](https://dashboard.cipherstash.com/workspaces/_/encryption/keysets), you can create and manage keysets and then use the keyset identifier to encrypt data for each tenant when initializing the Protect.js client.
+
+```typescript
+import { protect } from "@cipherstash/protect";
+import { users } from "./protect/schema";
+
+const protectClient = await protect({
+  schemas: [users],
+  keyset: {
+    // Must be a valid UUID which can be found in the CipherStash Dashboard
+    id: '123e4567-e89b-12d3-a456-426614174000'
+  },
+})
+
+// or with a keyset name
+
+const protectClient = await protect({
+  schemas: [users],
+  keyset: {
+    name: 'Company A'
+  },
+})
+```
+
+> [!IMPORTANT]
+> When creating a new keyset, make sure to grant your client access to the keyset or client initialization will fail.
+> Read more about [managing keyset access](https://cipherstash.com/docs/platform/workspaces/key-sets).
+
 ## Logging
 
-> [!IMPORTANT] 
+> [!TIP] 
 > `@cipherstash/protect` will NEVER log plaintext data.
 > This is by design to prevent sensitive data from leaking into logs.
 
diff --git a/mise.toml b/mise.toml
diff --git a/packages/protect/README.md b/packages/protect/README.md
@@ -112,6 +112,7 @@ const decrypted = await client.decrypt(encrypted.data);
 - [Identity-aware encryption](#identity-aware-encryption)
 - [Supported data types](#supported-data-types)
 - [Searchable encryption](#searchable-encryption)
+- [Multi-tenant encryption](#multi-tenant-encryption)
 - [Logging](#logging)
 - [CipherStash Client](#cipherstash-client)
 - [Example applications](#example-applications)
@@ -994,9 +995,43 @@ Until support for other data types are available, you can express interest in th
 
 Read more about [searching encrypted data](./docs/concepts/searchable-encryption.md) in the docs.
 
+## Multi-tenant encryption
+
+Protect.js supports multi-tenant encryption by using keysets.
+Each keyset is cryptographically isolated from other keysets which esentially means that each tenant has their own unique keyspace.
+If you are using a multi-tenant application, you can use keysets to encrypt data for each tenant creating a strong security boundary.
+
+In the [CipherStash Dashboard](https://dashboard.cipherstash.com/workspaces/_/encryption/keysets), you can create and manage keysets and then use the keyset identifier to encrypt data for each tenant when initializing the Protect.js client.
+
+```typescript
+import { protect } from "@cipherstash/protect";
+import { users } from "./protect/schema";
+
+const protectClient = await protect({
+  schemas: [users],
+  keyset: {
+    // Must be a valid UUID which can be found in the CipherStash Dashboard
+    id: '123e4567-e89b-12d3-a456-426614174000'
+  },
+})
+
+// or with a keyset name
+
+const protectClient = await protect({
+  schemas: [users],
+  keyset: {
+    name: 'Company A'
+  },
+})
+```
+
+> [!IMPORTANT]
+> When creating a new keyset, make sure to grant your client access to the keyset or client initialization will fail.
+> Read more about [managing keyset access](https://cipherstash.com/docs/platform/workspaces/key-sets).
+
 ## Logging
 
-> [!IMPORTANT] 
+> [!TIP] 
 > `@cipherstash/protect` will NEVER log plaintext data.
 > This is by design to prevent sensitive data from leaking into logs.
 
diff --git a/packages/protect/__tests__/keysets.test.ts b/packages/protect/__tests__/keysets.test.ts
@@ -0,0 +1,89 @@
+import 'dotenv/config'
+import { csColumn, csTable } from '@cipherstash/schema'
+import { describe, expect, it } from 'vitest'
+import { protect } from '../src'
+
+const users = csTable('users', {
+  email: csColumn('email'),
+})
+
+describe('encryption and decryption with keyset id', () => {
+  it('should encrypt and decrypt a payload', async () => {
+    const protectClient = await protect({
+      schemas: [users],
+      keyset: {
+        id: '4152449b-505a-4186-93b6-d3d87eba7a47',
+      },
+    })
+
+    const email = 'hello@example.com'
+
+    const ciphertext = await protectClient.encrypt(email, {
+      column: users.email,
+      table: users,
+    })
+
+    if (ciphertext.failure) {
+      throw new Error(`[protect]: ${ciphertext.failure.message}`)
+    }
+
+    // Verify encrypted field
+    expect(ciphertext.data).toHaveProperty('c')
+
+    const a = ciphertext.data
+
+    const plaintext = await protectClient.decrypt(ciphertext.data)
+
+    expect(plaintext).toEqual({
+      data: email,
+    })
+  }, 30000)
+})
+
+describe('encryption and decryption with keyset name', () => {
+  it('should encrypt and decrypt a payload', async () => {
+    const protectClient = await protect({
+      schemas: [users],
+      keyset: {
+        name: 'Test',
+      },
+    })
+
+    const email = 'hello@example.com'
+
+    const ciphertext = await protectClient.encrypt(email, {
+      column: users.email,
+      table: users,
+    })
+
+    if (ciphertext.failure) {
+      throw new Error(`[protect]: ${ciphertext.failure.message}`)
+    }
+
+    // Verify encrypted field
+    expect(ciphertext.data).toHaveProperty('c')
+
+    const a = ciphertext.data
+
+    const plaintext = await protectClient.decrypt(ciphertext.data)
+
+    expect(plaintext).toEqual({
+      data: email,
+    })
+  }, 30000)
+})
+
+describe('encryption and decryption with invalid keyset id', () => {
+  it('should throw an error', async () => {
+    await expect(
+      protect({
+        schemas: [users],
+        keyset: {
+          id: 'invalid-uuid',
+        },
+      }),
+    ).rejects.toThrow(
+      '[protect]: Invalid UUID provided for keyset id. Must be a valid UUID.',
+    )
+  })
+})
diff --git a/packages/protect/package.json b/packages/protect/package.json
@@ -55,7 +55,7 @@
 	},
 	"dependencies": {
 		"@byteslice/result": "^0.2.0",
-		"@cipherstash/protect-ffi": "0.17.1",
+		"@cipherstash/protect-ffi": "0.18.1",
 		"@cipherstash/schema": "workspace:*",
 		"zod": "^3.24.2"
 	},
diff --git a/packages/protect/src/ffi/index.ts b/packages/protect/src/ffi/index.ts
@@ -9,13 +9,15 @@ import {
 import { type ProtectError, ProtectErrorTypes } from '..'
 import { loadWorkSpaceId } from '../../../utils/config'
 import { logger } from '../../../utils/logger'
+import { toFfiKeysetIdentifier } from '../helpers'
 import type {
   BulkDecryptPayload,
   BulkEncryptPayload,
   Client,
   Decrypted,
   EncryptOptions,
   Encrypted,
+  KeysetIdentifier,
   SearchTerm,
 } from '../types'
 import { BulkDecryptOperation } from './operations/bulk-decrypt'
@@ -49,6 +51,7 @@ export class ProtectClient {
     accessKey?: string
     clientId?: string
     clientKey?: string
+    keyset?: KeysetIdentifier
   }): Promise<Result<ProtectClient, ProtectError>> {
     return await withResult(
       async () => {
@@ -70,6 +73,7 @@ export class ProtectClient {
             accessKey: config.accessKey,
             clientId: config.clientId,
             clientKey: config.clientKey,
+            keyset: toFfiKeysetIdentifier(config.keyset),
           },
         })
 
diff --git a/packages/protect/src/helpers/index.ts b/packages/protect/src/helpers/index.ts
@@ -1,4 +1,5 @@
-import type { Encrypted } from '../types'
+import type { KeysetIdentifier as KeysetIdentifierFfi } from '@cipherstash/protect-ffi'
+import type { Encrypted, KeysetIdentifier } from '../types'
 
 export type EncryptedPgComposite = {
   data: Encrypted
@@ -41,6 +42,18 @@ export function bulkModelsToEncryptedPgComposites<
   return models.map((model) => modelToEncryptedPgComposites(model))
 }
 
+export function toFfiKeysetIdentifier(
+  keyset: KeysetIdentifier | undefined,
+): KeysetIdentifierFfi | undefined {
+  if (!keyset) return undefined
+
+  if ('name' in keyset) {
+    return { Name: keyset.name }
+  }
+
+  return { Uuid: keyset.id }
+}
+
 /**
  * Helper function to check if a value is an encrypted payload
  */
diff --git a/packages/protect/src/index.ts b/packages/protect/src/index.ts
@@ -1,6 +1,7 @@
 import type { ProtectTable, ProtectTableColumn } from '@cipherstash/schema'
 import { buildEncryptConfig } from '@cipherstash/schema'
 import { ProtectClient } from './ffi'
+import type { KeysetIdentifier } from './types'
 
 export const ProtectErrorTypes = {
   ClientInitError: 'ClientInitError',
@@ -23,6 +24,13 @@ export type ProtectClientConfig = {
   accessKey?: string
   clientId?: string
   clientKey?: string
+  keyset?: KeysetIdentifier
+}
+
+function isValidUuid(uuid: string): boolean {
+  const uuidRegex =
+    /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i
+  return uuidRegex.test(uuid)
 }
 
 export const protect = async (
@@ -36,11 +44,22 @@ export const protect = async (
     )
   }
 
+  if (
+    config.keyset &&
+    'id' in config.keyset &&
+    !isValidUuid(config.keyset.id)
+  ) {
+    throw new Error(
+      '[protect]: Invalid UUID provided for keyset id. Must be a valid UUID.',
+    )
+  }
+
   const clientConfig = {
     workspaceCrn: config.workspaceCrn,
     accessKey: config.accessKey,
     clientId: config.clientId,
     clientKey: config.clientKey,
+    keyset: config.keyset,
   }
 
   const client = new ProtectClient(clientConfig.workspaceCrn)
diff --git a/packages/protect/src/types.ts b/packages/protect/src/types.ts
@@ -42,6 +42,14 @@ export type SearchTerm = {
   returnType?: 'eql' | 'composite-literal' | 'escaped-composite-literal'
 }
 
+export type KeysetIdentifier =
+  | {
+      name: string
+    }
+  | {
+      id: string
+    }
+
 /**
  * The return type of the search term based on the return type specified in the `SearchTerm` type
  * If the return type is `eql`, the return type is `Encrypted`
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"@cipherstash/protect": minor
 +---
++
 +Added support for multi-tenant encryption with configurable keysets.