A key originating device generates a subject key that is managed by a policy. The subject key may be generated and the policy configured at the instruction of a user, an application, or a service, such as a provisioning service. The policy that manages the subject key identifies at least one or more entities that are authorized to receive the subject key. The subject key is provided varying layers of encryption as it is communicated between the originating device, an escrow services, and an authorized entity.