Merge pull request #176 from cipherstash/add-example-statements-to-docs

auxesis · web-flow · commit bee65abe7900 · 2025-03-19T16:57:41.000+11:00
docs: add example database queries to the Proxy getting started
diff --git a/README.md b/README.md
@@ -79,14 +79,126 @@ stash setup --proxy
 
 # Start the containers
 docker compose up
+```
+
+This will start a PostgreSQL database on `localhost:5432`, and CipherStash Proxy on `localhost:6432`.
+There's an example table called `users` that you can use to start inserting and querying encrypted data with.
+
+> [!NOTE]
+> In this example table we've chosen users' email, date of birth, and salary as examples of the kind of sensitive data that you might want to protect with encryption. 
+
+### Step 1: Insert and read some data <a id='getting-started-step-1'></a>
+
+Now let's connect to the Proxy via `psql` and run some queries:
+
+```bash
+docker compose exec proxy psql postgres://cipherstash:3ncryp7@localhost:6432/cipherstash
+```
 
-# TODO: Run a query
-psql postgres://${CS_DATABASE__USERNAME}:${CS_DATABASE__PASSWORD}@localhost:6432/cipherstash
+This establishes an interactive session with the database, via CipherStash Proxy.
 
-# TODO: Verify the data is encrypted
-psql postgres://${CS_DATABASE__USERNAME}:${CS_DATABASE__PASSWORD}@postgres:5432/cipherstash
+Now insert and read some data via Proxy:
+
+```sql
+INSERT INTO users (encrypted_email, encrypted_dob, encrypted_salary) VALUES ('alice@cipherstash.com', '1970-01-01', '100');
+
+SELECT encrypted_email, encrypted_dob, encrypted_salary FROM users;
+```
+
+The `INSERT` statement inserts a record into the `users` table, and the `SELECT` statement reads the same record back.
+Notice that it looks like nothing happened: the data in the `INSERT` was unencrypted, and the data in the `SELECT` is also unencrypted.
+
+Now let's connect to the database directly via `psql` and see what the data actually looks like behind the scenes:
+
+```bash
+docker compose exec proxy psql postgres://cipherstash:3ncryp7@postgres:5432/cipherstash
 ```
 
+This establishes an interactive session directly with the database (note the change of host to `postgres` and port to `5432`).
+
+Now on this direct `psql` session, query the database directly:
+
+```sql
+SELECT encrypted_email, encrypted_dob, encrypted_salary FROM users;
+```
+
+You'll see the output is _much_ larger, because the `SELECT` returns the raw encrypted data.
+The data is transparently encrypted and decrypted by Proxy in the `INSERT` and `SELECT` statements.
+
+### Step 2: Update the data with a `WHERE` clause <a id='getting-started-step-2'></a>
+
+In your `psql` connection to Proxy:
+
+```bash
+docker compose exec proxy psql postgres://cipherstash:3ncryp7@localhost:6432/cipherstash
+```
+
+Update the data we inserted in [Step 1](#getting-started-step-1), and read it back:
+
+```sql
+UPDATE users SET encrypted_dob = '1978-02-01' WHERE encrypted_email = 'alice@cipherstash.com';
+
+SELECT encrypted_dob FROM users WHERE encrypted_email = 'alice@cipherstash.com';
+```
+
+In the `UPDATE` statement, the `=` comparison operation in the `WHERE` clause is evaluated against **encrypted** data.
+In the `SELECT` statement, the `encrypted_email` value is transparently encrypted by Proxy, and compared in the database against the stored encrypted email value.
+In the `SELECT` statement, the `SELECT` returns `1978-02-01`.
+
+Back on the `psql` session connected directly to the database, verify the data is encrypted:
+
+```sql
+SELECT encrypted_email, encrypted_dob, encrypted_salary FROM users;
+```
+
+This `SELECT` shows the raw encrypted data — no plaintext to see.
+
+### Step 3: Search encrypted data with a `WHERE` clause <a id='getting-started-step-3'></a>
+
+In your `psql` connection to Proxy:
+
+```bash
+docker compose exec proxy psql postgres://cipherstash:3ncryp7@localhost:6432/cipherstash
+```
+
+Insert more records via Proxy, and search by salary:
+
+```sql
+INSERT INTO users (encrypted_email, encrypted_dob, encrypted_salary) VALUES ('bob@cipherstash.com', '1991-03-06', '10');
+INSERT INTO users (encrypted_email, encrypted_dob, encrypted_salary) VALUES ('carol@cipherstash.com', '2005-12-30', '1000');
+
+SELECT encrypted_email, encrypted_dob, encrypted_salary FROM users WHERE encrypted_salary <= 100;
+```
+
+In the `INSERT` statement, the salary value is transparently encrypted by Proxy, and stored in the database in encrypted form.
+In the `SELECT` statement, the `encrypted_salary` value is transparently encrypted and compared in the database against the stored encrypted salary value.
+In the `SELECT` statement, the `<=` comparison operation in the `WHERE` clause is evaluated against **encrypted** data.
+In the `SELECT` statement, the `SELECT` returns `alice` and `bob`, but not `carol`.
+
+Finally, query `users` by date:
+
+```sql
+SELECT encrypted_email, encrypted_dob, encrypted_salary FROM users WHERE encrypted_dob > '2000-01-01' ;
+```
+
+The `encrypted_dob` value is transparently encrypted by Proxy, and compared in the database against the stored encrypted date value.
+The `>` comparison operation is evaluated against **encrypted** data.
+The `SELECT` will only return `carol`.
+
+Back on the `psql` session connected directly to the database, verify the data is encrypted:
+
+```sql
+SELECT encrypted_email, encrypted_dob, encrypted_salary FROM users;
+```
+
+This `SELECT` shows the raw encrypted data, no plaintext to see.
+
+This demonstrates the power of CipherStash Proxy:
+
+- Completely transparent encryption of sensitive data in PostgreSQL
+- All data remains searchable, while being protected with non-deterministic AES-256-GCM encryption
+- Zero changes required to your application's database queries
+
 ## How-to
 
 This section contains how-to documentation for installing, configuring, and running CipherStash Proxy.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -40,7 +40,8 @@ services:
       - CS_DATABASE__HOST=postgres
       - CS_DATABASE__PORT=5432
       - CS_PROMETHEUS__ENABLED=${CS_PROMETHEUS__ENABLED:-true}
-      - CS_DATABASE__INSTALL_EQL=true # install EQL into the PostgreSQL database we start above
+      - CS_DATABASE__INSTALL_EQL=true            # install EQL into the PostgreSQL database
+      - CS_DATABASE__INSTALL_EXAMPLE_SCHEMA=true # install example schema into the PostgreSQL database
     networks:
       - cipherstash
 
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
@@ -79,10 +79,46 @@ case "${CS_DATABASE__INSTALL_EQL:-}" in
       >&2 echo "error: unable to install EQL in target PostgreSQL database!"
       exit 2
     fi
+    >&2 echo "Successfully installed EQL in target PostgreSQL database."
     ;;
   *)
     >&2 echo "Not installing EQL in target PostgreSQL database."
     ;;
 esac
 
+# Optionally install example schema in the target database
+case "${CS_DATABASE__INSTALL_EXAMPLE_SCHEMA:-}" in
+  "true") ;&
+  "yes") ;&
+  "1")
+    >&2 echo "Applying example schema in target PostgreSQL database..."
+
+    SQL_FILENAME="/opt/schema-example.sql"
+
+    if [ ! -f "${SQL_FILENAME}" ]; then
+      >&2 echo "error: unable to find example schema at: ${SQL_FILENAME}"
+      exit 1
+    fi
+
+    # Wait for postgres to become available
+    wait_for_postgres_or_exit
+
+    # Attempt to install EQL
+    psql --file=${SQL_FILENAME} --quiet $DATABASE_URL > /dev/null 2>&1
+    if [ $? != 0 ]; then
+      >&2 echo "error: unable to apply example schema in target PostgreSQL database!"
+      exit 2
+    fi
+
+    >&2 echo "Successfully applied example schema in target PostgreSQL database."
+    >&2 echo "Example tables: users"
+    ;;
+  *)
+    >&2 echo "Not installing example schema in target PostgreSQL database."
+    ;;
+esac
+
+>&2 echo "Proxy container setup complete!"
+>&2 echo "Running CipherStash Proxy..."
+
 exec cipherstash-proxy "$@"
diff --git a/docs/getting-started/schema-example.sql b/docs/getting-started/schema-example.sql
@@ -0,0 +1,48 @@
+TRUNCATE TABLE cs_configuration_v1;
+
+-- Exciting cipherstash table
+DROP TABLE IF EXISTS users;
+CREATE TABLE users (
+    id SERIAL PRIMARY KEY,
+    encrypted_email cs_encrypted_v1,
+    encrypted_dob cs_encrypted_v1,
+    encrypted_salary cs_encrypted_v1
+);
+
+SELECT cs_add_index_v1(
+  'users',
+  'encrypted_email',
+  'unique',
+  'text'
+);
+
+SELECT cs_add_index_v1(
+  'users',
+  'encrypted_email',
+  'match',
+  'text'
+);
+
+SELECT cs_add_index_v1(
+  'users',
+  'encrypted_email',
+  'ore',
+  'text'
+);
+
+SELECT cs_add_index_v1(
+  'users',
+  'encrypted_salary',
+  'ore',
+  'int'
+);
+
+SELECT cs_add_index_v1(
+  'users',
+  'encrypted_dob',
+  'ore',
+  'date'
+);
+
+SELECT cs_encrypt_v1();
+SELECT cs_activate_v1();
diff --git a/proxy.Dockerfile b/proxy.Dockerfile
@@ -11,6 +11,8 @@ COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 
 # Copy EQL install scripts
 COPY cipherstash-eql.sql /opt/cipherstash-eql.sql
+# Copy example schema
+COPY docs/getting-started/schema-example.sql /opt/schema-example.sql
 
 # Make the AWS global bundle available for use in the docker-entrypoint.sh script.
 ENV CS_DATABASE__AWS_BUNDLE_PATH="./aws-rds-global-bundle.pem"
