Systems and Methods for encrypting and decrypting data in a dispersed storage network are disclosed. A data object may be encrypted using a data object specific encryption key, a container specific encryption key, a tenant account specific encryption key, or a time based encryption key. This specific, or more generally, secondary encryption key can be derived from a master or primary encryption key. Encryption key metadata pertaining to the master encryption key and the specific encryption key is also created and stored in the DSN. When reading an encrypted data object, the master encryption key can be retrieved and, along with the encryption key metadata, used to derive the specific encryption key. The specific encryption key can then be used to decrypt the encrypted data object to recover the data object.