The present application discloses a method, system, and computer system for managing data using keys. The method includes receiving a request to access data, wherein the data is encrypted based on a tenant service encryption key (TSEK) corresponding to the tenant database, determining a wrapper key used in connection with encrypting the TSEK based on a TSEK metadata, determining a top-level key used in connection with encrypting the wrapper key based on wrapper key metadata stored in association with the encrypted version of the wrapper key, obtaining the data stored within the tenant database, comprising decrypting at least part of the data based on (i) the TSEK, (ii) the wrapper key, and (iii) the top-level key, and providing the data in response to the request. The TSEK metadata is stored in the tenant database. An encrypted version of the wrapper key is stored in a key management service.