# Zero-Knowledge / BYOK Encryption (ABA 477R/512) > Document and validate BYOK and zero-knowledge encryption architecture for legal and compliance contexts. Aligns with ABA 477R (reasonable efforts) and ABA 512 (GAI informed consent). Tags: ABA 477R, ABA 512, Encryption, BYOK, Zero-Knowledge, Legal, Compliance, Key Management ## Example Prompts - Document our BYOK and zero-knowledge design for ABA 477R compliance - Validate that our encryption design document adequately describes key custody - Draft a design for vendor diligence on our cloud storage with client-held keys URL: https://rakenne.app/skills/zero-knowledge-byok-encryption/index.md Try this skill: https://rakenne.app/a/?skill=zero-knowledge-byok-encryption ## Overview Document and validate **BYOK (Bring Your Own Key)** and **zero-knowledge** encryption architecture for legal and compliance contexts. The skill helps you draft design documentation that supports ABA 477R (reasonable efforts to protect client information) and ABA 512 (informed consent for GAI tools). A built-in validation tool ensures the design explicitly states that the client controls keys and the provider cannot decrypt client data before you finalize. ## Example Conversation > **You:** We need to document our BYOK and zero-knowledge design for ABA 477R compliance. Our cloud storage uses client-held keys and the provider only stores ciphertext. Can you draft the design and validate it? > **Agent:** I'll use the Zero-Knowledge / BYOK Encryption skill. I'll copy the template into the workspace, fill in scope, key custody, zero-knowledge guarantees, and vendor diligence sections using the skill's references. Then I'll run `byok_zero_knowledge_validator` to ensure the design passes. > **Agent:** *(Creates the design document from the template.)* I've documented that the client generates and stores keys, the provider has no persistent access to keys, and the provider cannot decrypt client data. Running `byok_zero_knowledge_validator`... > **Agent:** Result of `byok_zero_knowledge_validator`: > > --- BYOK / ZERO-KNOWLEDGE VALIDATOR --- > Result: PASS > Document: byok-encryption-design.md > BYOK coverage: found (client controls keys / provider does not have keys). > Zero-knowledge coverage: found (provider cannot decrypt client data). > > The design document meets BYOK and zero-knowledge documentation requirements. Ready for review. ## Output Excerpt A typical design includes scope, key custody, zero-knowledge guarantees, and vendor diligence. Excerpt: ```markdown ## 2. Key custody (BYOK) - Key generation: client-controlled HSM; keys never leave client control. - Key storage: client-managed key vault; provider has no access. - Provider does not have persistent access to or custody of client keys. ## 3. Zero-knowledge / end-to-end encryption - Encryption locus: client-side; provider stores only ciphertext. - Provider cannot decrypt client data. - Metadata minimization: provider sees only ciphertext identifiers, not plaintext. ``` The validator would FAIL if the document did not explicitly state both key custody and zero-knowledge; after adding the required language, the check passes. ## Extension Tools and Validations **`byok_zero_knowledge_validator`** validates that an encryption or key management design document adequately describes BYOK and zero-knowledge architecture: | Check | What it looks for | Pass condition | |-------|-------------------|----------------| | **BYOK coverage** | Client controls keys; provider does not have persistent access to or custody of client keys. | At least one such statement found (e.g. "client controls keys", "provider does not have keys", "BYOK"). | | **Zero-knowledge coverage** | Provider cannot decrypt or access plaintext client data. | At least one such statement found (e.g. "provider cannot decrypt", "zero-knowledge", "client-side encryption"). | | **Result** | PASS only when both BYOK and zero-knowledge coverage are present. | FAIL if either is missing; the report suggests adding or strengthening language. | Run this tool after drafting or editing the design; iterate until the report shows PASS before finalizing. ## Getting Started Add any existing encryption or key management documentation to the project workspace and activate the *Zero-Knowledge / BYOK Encryption (ABA 477R/512)* skill. The agent will draft or update the design using the bundled ABA 477R/512 and BYOK references, then run `byok_zero_knowledge_validator` so the document meets documentation requirements. --- Back to [Skill Library](https://rakenne.app/skills/index.md)