This paper puts a new light on secure data storage inside distributed systems, such as data centers composed of multiple independent storage servers or multi-cloud architectures. Specifically, it revisits computational secret sharing based on symmetric encryption in a situation where the encryption key is exposed to an attacker. It comes with several contributions:First, it defines a security model for encryption schemes, where we ask for additional resilience against exposure of the encryption key. Precisely we ask for (1) indistinguishability of plaintexts under full ciphertext knowledge, (2) indistinguishability for an adversary who learns: the encryption key, plus all but one share of the ciphertext. (2) relaxes the "all-or-nothing" (AONT) property to a more realistic secret sharing setting, where the ciphertext is transformed into a constant number of shares (typically storage locations), such that the adversary can't access one of them. (1) asks that, unless the user's key is disclosed, noone else (including the cloud provider) than the user can retrieve information about the plaintext.Second, it introduces a new computationally secure encryption-thensharing scheme, that protects the data in the previously defined attacker model. It consists in standard data encryption followed by a linear transformation of the ciphertext, then its fragmentation into shares, along with secret sharing of the randomness used for encryption. The computational overhead in addition to data encryption is reduced by half with respect to state of the art. The storage overhead is negligible for large data (one additional ciphertext block by share). Performance results confirm the complexity analysis.Third, it provides for the first time cryptographic proofs -and discusses the security analysis of a previous scheme-in this context of key exposure. It emphasizes that the security of our scheme relies only on a simple cryptanalysis resilience assumption for blockciphers in public key mode: indistinguishability from random, of the sequence of differentials of a random value. By contrast, virtually all existing schemes rely on the unimplementable models of random oracle (RO) or of Shannon's ideal blockcipher -which is furthermore recently threatened for AES.Fourth, it provides an alternative scheme with no linear overhead, but relying on the more theoretical random permutation model (RPM). It