Overview
Document and validate BYOK (Bring Your Own Key) and zero-knowledge encryption architecture for legal and compliance contexts. The skill helps you draft design documentation that supports ABA 477R (reasonable efforts to protect client information) and ABA 512 (informed consent for GAI tools). A built-in validation tool ensures the design explicitly states that the client controls keys and the provider cannot decrypt client data before you finalize.
Example Conversation
You: We need to document our BYOK and zero-knowledge design for ABA 477R compliance. Our cloud storage uses client-held keys and the provider only stores ciphertext. Can you draft the design and validate it?
Agent: I’ll use the Zero-Knowledge / BYOK Encryption skill. I’ll copy the template into the workspace, fill in scope, key custody, zero-knowledge guarantees, and vendor diligence sections using the skill’s references. Then I’ll run
byok_zero_knowledge_validatorto ensure the design passes.
Agent: (Creates the design document from the template.) I’ve documented that the client generates and stores keys, the provider has no persistent access to keys, and the provider cannot decrypt client data. Running
byok_zero_knowledge_validator…
Agent: Result of
byok_zero_knowledge_validator:— BYOK / ZERO-KNOWLEDGE VALIDATOR — Result: PASS Document: byok-encryption-design.md BYOK coverage: found (client controls keys / provider does not have keys). Zero-knowledge coverage: found (provider cannot decrypt client data).
The design document meets BYOK and zero-knowledge documentation requirements. Ready for review.
Output Excerpt
A typical design includes scope, key custody, zero-knowledge guarantees, and vendor diligence. Excerpt:
## 2. Key custody (BYOK)
- Key generation: client-controlled HSM; keys never leave client control.
- Key storage: client-managed key vault; provider has no access.
- Provider does not have persistent access to or custody of client keys.
## 3. Zero-knowledge / end-to-end encryption
- Encryption locus: client-side; provider stores only ciphertext.
- Provider cannot decrypt client data.
- Metadata minimization: provider sees only ciphertext identifiers, not plaintext.
The validator would FAIL if the document did not explicitly state both key custody and zero-knowledge; after adding the required language, the check passes.
Extension Tools and Validations
byok_zero_knowledge_validator validates that an encryption or key management design document adequately describes BYOK and zero-knowledge architecture:
| Check | What it looks for | Pass condition |
|---|---|---|
| BYOK coverage | Client controls keys; provider does not have persistent access to or custody of client keys. | At least one such statement found (e.g. “client controls keys”, “provider does not have keys”, “BYOK”). |
| Zero-knowledge coverage | Provider cannot decrypt or access plaintext client data. | At least one such statement found (e.g. “provider cannot decrypt”, “zero-knowledge”, “client-side encryption”). |
| Result | PASS only when both BYOK and zero-knowledge coverage are present. | FAIL if either is missing; the report suggests adding or strengthening language. |
Run this tool after drafting or editing the design; iterate until the report shows PASS before finalizing.
Getting Started
Add any existing encryption or key management documentation to the project workspace and activate the Zero-Knowledge / BYOK Encryption (ABA 477R/512) skill. The agent will draft or update the design using the bundled ABA 477R/512 and BYOK references, then run byok_zero_knowledge_validator so the document meets documentation requirements.