Searchable Encryption
QNSP supports searching encrypted data without decryption via Search Service (port 8101).
Searchable Encryption
QNSP supports searching encrypted data without decryption via Search Service (port 8101).
Overview
Searchable Symmetric Encryption (SSE) enables:
- Encrypted storage
- Keyword search on ciphertext
- Privacy-preserving queries
How it works
Indexing
- Extract searchable terms from document
- Generate encrypted index tokens
- Store tokens with encrypted document
Searching
- Client generates search token from query
- Server matches tokens without decryption
- Return matching encrypted documents
Supported operations
| Operation | Description |
|---|---|
| Equality | Exact match |
| Prefix | Starts with |
| Range | Numeric ranges |
| Boolean | AND, OR, NOT |
Index types
Keyword index
- Individual terms
- Case-insensitive matching
- Stemming optional
Structured index
- JSON field paths
- Nested object support
- Array element search
Security properties
- Forward secrecy: New documents don't leak info about old queries
- Backward secrecy: Old documents don't leak info about new queries (with re-encryption)
Trade-offs
| Aspect | Impact |
|---|---|
| Index size | ~10-20% overhead |
| Query latency | ~2-5x vs plaintext |
| Functionality | Subset of SQL |
Configuration
Enable SSE per bucket:
{
"searchableEncryption": {
"enabled": true,
"indexFields": ["title", "tags", "metadata.*"]
}
}