Typically, cloud storage providers are expected to protect their client's data by employing at least a unique key per client or cloud subscriber. Traditional encryption management mechanisms include the cloud providers managing cryptographic keys in software, the cloud providers managing cryptographic keys in hardware, or the cloud subscribers managing cryptographic keys in demilitarized zones (DMZs) of the cloud subscribers.