ZeroKMS is a key management service (KMS) built for per-record encryption at high throughput. Rather than sharing a single encryption key across many records, ZeroKMS derives a unique key per record using a composite approach that splits key material between the client and server — meaning neither party alone can decrypt data. Keys are never stored; instead, they are derived on-demand via cryptographic algorithms. A client-side seed enables local key generation without network round-trips, enabling throughput of 10,000+ key operations per second — compared to approximately 700 ops/sec for AWS KMS and 900 ops/sec for Google Cloud KMS. Access to keys is gated by OIDC-based identity checks, enforcing a deny-by-default model where only identities with valid claims can decrypt data. Key revocation is instantaneous and does not require re-encryption of existing data. ZeroKMS includes full audit logging with cryptographically verifiable logs, bulk encryption/decryption operations, and plug-in support for databases and SDKs including PostgreSQL, DynamoDB, and TypeScript applications. The service offers 10,000 operations per month on a free tier. It supports compliance with GDPR, HIPAA, ISO 27001, and SOC 2, and is designed for use cases in HealthTech, FinTech, and AI infrastructure. ZeroKMS serves as the foundational layer of the broader CipherStash stack, underpinning the Protect (application-level encryption) and Stash (secrets management) products.