As cloud servers may not be trusted, sensitive data have to be transmitted and stored in an encrypted form. Major challenges for users are from the management (storage, update, protection, backup, and recoverability) of keys that can help users to decrypt authorized data available on the servers. In this paper, we propose a versatile approach for extremely lightweight key management, which is one of the most basic security tasks in cloud systems. In the multiple data owners scenario, each user only needs to manage a single key by our approach. With the help of the single key and a set of public information stored on the server, users can decrypt all authorized data from different data owners. Specifically, our paper proposes a novel access control model, proves the correctness and security, and analyzes the complexity of the model. Experimental results show that our approach significantly outperforms the single-layer derivation encryption and double-layer derivation encryption on the lightweight performance. Copyright © 2013 John Wiley & Sons, Ltd.