A storage controller coupled to a storage array comprising one or more storage devices receives a request to write encrypted data to a volume resident on a storage array, where the encrypted data comprises data encrypted by a first encryption key that is associated with at least one property of the data. The storage controller determines a decryption key to decrypt the encrypted data, decrypts the encrypted data using the decryption key, performs at least one data reduction operation on the decrypted data, encrypts the reduced data using a second encryption key to generate a second encrypted data, and storing the second encrypted data on the storage array.