A dispersed storage network (DSN) includes a DSN memory, which in turn employs multiple distributed storage (DS) units to store encrypted secret material that can be decrypted using an unlock key. The unlock key is stored external to the DS unit, in some cases using multiple data slices dispersed throughout the DSN. To obtain the unlock key, the DS unit transmits authentication credentials to another device included in the DSN, but external to the DS unit. The other device authenticates the DS unit using the authentication credentials, and sends the unlock key to the DS unit. The DS unit uses the unlock key in normal decryption operations. In response to a security event, the DS unit transitions to a secure mode by erasing any material decrypted using the unlock key, the unlock key, and the DS unit's authentication credentials.