Authentication credentials are received at a key server system. A service associated with the wrapped key is identified. A master key is accessed based on the identified service, the master key being associated with the identified service. The wrapped key is decrypted to generate an unwrapped key that includes the resource identifier, the resource encryption key, and the user identifier in unencrypted form. The user identifier is identified accessed from the unwrapped key. The received authentication credentials are determined to correspond to the accessed user identifier. In response to determining that the received authentication credentials correspond to the accessed user identifier, the resource encryption key are sent in unecrypted to the application server system such that the application server system can decrypt the resource using the resource encryption key in unencrypted form.