A key management system includes secured data stored on a first system
secured by a control key stored securely on a key server. The secured
data is secured against attacks such as unauthorized use, modification or
access, where authorization to access the secured data is determined by
knowledge of an access private key of an access key pair. When an
authorized user is to access the secured data, the first system generates
a request to the key server, signed with the access private key, wherein
the request is for a decryption control key and the request includes a
one-time public key of a key pair generated by the first system for the
request. The first system can decrypt the decryption control key from the
response, using a one-time private key. The first system can then decrypt
the secured data with the decryption control key remaining secured in
transport.