This document presents Bastion, a new encryption scheme that aims to ensure data confidentiality even if the encryption key is exposed. Bastion uses block cipher encryption in counter mode to encrypt plaintext data into ciphertext blocks. It then applies an efficient linear transformation to the ciphertext blocks. This linear transformation distributes information across all ciphertext blocks such that any individual block provides no information about the plaintext, even with knowledge of the encryption key. The scheme is designed to preserve confidentiality as long as an adversary does not have access to more than one ciphertext block. The document analyzes the security and performance of Bastion and suggests it could be integrated into existing cloud storage systems with low overhead.