Abstract: The technology disclosed herein provides network bound encryption that enables a trusted execution environment to persistently store and access recovery data without persistently storing the decryption key. An example method may include: transmitting combined key data that is based on a cryptographic key data of a second computing device to a third computing device; deriving a cryptographic key from combined key data received from the third computing device, the received combined key data being based on the cryptographic key data of the second computing device and cryptographic key data of the third computing device; and causing the trusted execution environment to use the cryptographic key to access sensitive data on a persistent storage device.

Abstract: The technology disclosed herein provides a cryptographic key wrapping system for verifying device capabilities. An example method may include: accessing, by a processing device, a wrapped key that encodes a cryptographic key; executing, by the processing device in a trusted execution environment, instructions to derive the cryptographic key in view of the wrapped key, wherein the executing to derive the cryptographic key comprises a task that consumes computing resources for a duration of time; using the cryptographic key to access program data; executing, by the processing device, the program data, wherein the executed program data evaluates a condition related to the duration of time; and transmitting a message comprising an indication of the evaluated condition.

Abstract: A method for providing randomized encryption for file blocks including receiving a plurality of file blocks, selecting at least one encryption scheme for the plurality of file blocks, determining a first encryption order for the plurality of file blocks, encrypting, at a first time, the plurality of file blocks with the at least one encryption scheme in the first encryption order to produce a first plurality of encrypted file blocks, determining a second encryption order for the plurality of file blocks, the second encryption order being different from the first encryption order, and encrypting, at a second time, the plurality of file blocks with the at least one encryption scheme in the second encryption order to produce a second plurality of encrypted file blocks.

Abstract: The technology disclosed herein provides network bound encryption that enables a node management device to orchestrate workloads with encrypted data without sharing the decryption key. An example method may include: obtaining an asymmetric key pair comprising a public asymmetric key and a private asymmetric key; establishing a symmetric key using a key establishment service, wherein the symmetric key is established in view of the private asymmetric key of a first computing device and a public asymmetric key of the key establishment service; transmitting sensitive data encrypted using the symmetric key to a persistent storage device accessible to a second computing device; initiating a creation of an execution environment on the second computing device; and providing, by the first computing device, the public asymmetric key and the location data to the second computing device, wherein the location data corresponds to the key establishment service.

Abstract: The technology disclosed herein provides network bound encryption that enables a trusted execution environment to persistently store and access recovery data without persistently storing the decryption key. An example method may include: transmitting combined key data that is based on a cryptographic key data of a second computing device to a third computing device; deriving a cryptographic key from combined key data received from the third computing device, the received combined key data being based on the cryptographic key data of the second computing device and cryptographic key data of the third computing device; and causing the trusted execution environment to use the cryptographic key to access sensitive data on a persistent storage device.

Abstract: The technology disclosed herein provides network bound encryption that enables a node management device to orchestrate workloads with encrypted data without sharing the decryption key. An example method may include: obtaining an asymmetric key pair comprising a public asymmetric key and a private asymmetric key; establishing a symmetric key using a key establishment service, wherein the symmetric key is established in view of the private asymmetric key of a first computing device and a public asymmetric key of the key establishment service; transmitting sensitive data encrypted using the symmetric key to a persistent storage device accessible to a second computing device; initiating a creation of an execution environment on the second computing device; and providing, by the first computing device, the public asymmetric key and the location data to the second computing device, wherein the location data corresponds to the key establishment service.

Abstract: The technology disclosed herein provides network bound encryption that enables a trusted execution environment to persistently store and access recovery data without persistently storing the decryption key.

Abstract: The technology disclosed herein provides a proof-of-work key wrapping system for verifying device capabilities. An example method may include: accessing a wrapped key and a cryptographic attribute for the wrapped key from an encrypted memory region, wherein the wrapped key encodes a cryptographic key; deriving, by a processing device, the cryptographic key in view of the wrapped key and the cryptographic attribute, wherein the deriving consumes computing resources for a duration of time; using the cryptographic key to access program data; and executing, by the processing device, the program data, wherein the executed program data evaluates a condition related to the duration of time.

Abstract: The technology disclosed herein provides a proof-of-work key wrapping system for restricting data execution based on device capabilities. An example method may include: accessing a wrapped key and a cryptographic attribute for the wrapped key, wherein the wrapped key encodes a cryptographic key; deriving, by a processing device, the cryptographic key in view of the wrapped key and the cryptographic attribute; using the cryptographic key to access program data; and executing, by the processing device, the program data, wherein the executed program data evaluates a condition related to the duration of time.

Abstract: The technology disclosed herein provides a proof-of-work key wrapping system that cryptographically controls access to data. An example method may include: selecting a set of cryptographic attributes in view of a characteristic of a computing device; obtaining, by a processing device, a cryptographic key; encrypting, by the processing device, the cryptographic key in view of the set of cryptographic attributes to produce a wrapped key; and providing the wrapped key and at least one of the cryptographic attributes to the computing device, wherein the at least one cryptographic attribute facilitates deriving the cryptographic key from the wrapped key.

Abstract: The technology disclosed herein provides a proof-of-work key wrapping system that uses integrated key fragments to cryptographically control access to data. An example method may include encrypting a first cryptographic key to produce a wrapped key, wherein the first cryptographic key enables a computing device to access content; determining a plurality of key fragments of a second cryptographic key, wherein the second cryptographic key is for decrypting the wrapped key and at least one of the plurality of key fragments is derived using one of the key fragments as input; selecting a set of cryptographic attributes for deriving the plurality of key fragments, wherein the set of cryptographic attributes are selected in view of a characteristic of the computing device; and providing the wrapped key and the set of cryptographic attributes to the computing device, the set of cryptographic attributes facilitating determination of the second cryptographic key.

Abstract: The technology disclosed herein provides a proof-of-work key wrapping system that uses key fragments to cryptographically control access to data. An example method may include: encrypting a first cryptographic key to produce a wrapped key, wherein the first cryptographic key enables a computing device to access content; splitting a second cryptographic key into a plurality of key fragments, wherein the second cryptographic key is for decrypting the wrapped key; selecting a set of cryptographic attributes for deriving at least one of the plurality of key fragments, wherein the set of cryptographic attributes are selected in view of a characteristic of the computing device; and providing the wrapped key and the set of cryptographic attributes to the computing device, the set of cryptographic attributes facilitating determination of the second cryptographic key.

Abstract: The technology disclosed herein provides a cryptographic key wrapping system for verifying device capabilities. An example method may include: accessing, by a processing device, a wrapped key that encodes a cryptographic key; executing, by the processing device in a trusted execution environment, instructions to derive the cryptographic key in view of the wrapped key, wherein the executing to derive the cryptographic key comprises a task that consumes computing resources for a duration of time; using the cryptographic key to access program data; executing, by the processing device, the program data, wherein the executed program data evaluates a condition related to the duration of time; and transmitting a message comprising an indication of the evaluated condition.

Abstract: The technology disclosed herein provides an enhanced access control mechanism that uses a proof-of-work key wrapping system to temporally restrict access to data. An example method may include: determining, by a processing device, characteristics of a computing device; accessing a cryptographic key for accessing content; selecting a set of cryptographic attributes for wrapping the cryptographic key, wherein the set of cryptographic attributes are selected to enable the computing device to derive the cryptographic key from a wrapped key in a predetermined duration of time; and providing the wrapped key and an indication of at least one of the cryptographic attributes to the computing device.

Abstract: The technology disclosed herein provides a proof-of-work key wrapping system that uses key thresholding to cryptographically control data access. An example method may include: accessing a plurality of cryptographic key shares, wherein two or more of the plurality of cryptographic key shares enable access to content; selecting, by a processing device, a set of cryptographic attributes in view of a characteristic of a computing device; encrypting the plurality of cryptographic key shares to produce a plurality of wrapped key shares, wherein at least one of the plurality of cryptographic key shares is encrypted in view of the set of cryptographic attributes; and providing a wrapped key share of the plurality of wrapped key shares and at least one of the cryptographic attributes to the computing device, wherein the at least one cryptographic attribute facilitates deriving an access key from the plurality of wrapped key shares.

Abstract: The technology disclosed herein provides a proof-of-work key wrapping system for verifying device capabilities. An example method may include: receiving a wrapped key and a cryptographic attribute for the wrapped key, wherein the wrapped key encodes a cryptographic key; deriving, by a processing device, the cryptographic key in view of the wrapped key and the cryptographic attribute, wherein the deriving consumes computing resources for a duration of time; using the cryptographic key to access program data; executing, by the processing device, the program data, wherein the executed program data evaluates a condition related to the duration of time; and transmitting a message comprising an indication of the condition.

Abstract: The technology disclosed herein provides a proof-of-work key wrapping system for verifying device capabilities. An example method may include: accessing instructions, a wrapped key, and a cryptographic attribute for the wrapped key from an encrypted memory region, wherein the wrapped key encodes a cryptographic key; executing, by a processing device, the instructions to derive the cryptographic key in view of the wrapped key and the cryptographic attribute, wherein the executing consumes computing resources for a duration of time; using the cryptographic key to access program data; executing, by the processing device, the program data, wherein the executed program data evaluates a condition related to the duration of time; and transmitting a message comprising an indication of the evaluated condition.

Abstract: The technology disclosed herein provides network bound encryption that enables a node management device to orchestrate workloads with encrypted data without sharing the decryption key. An example method may include: obtaining an asymmetric key pair comprising a public asymmetric key and a private asymmetric key; establishing a symmetric key using a key establishment service, wherein the symmetric key is established in view of the private asymmetric key of a first computing device and a public asymmetric key of the key establishment service; transmitting sensitive data encrypted using the symmetric key to a persistent storage device accessible to a second computing device; initiating a creation of an execution environment on the second computing device; and providing, by the first computing device, the public asymmetric key and the location data to the second computing device, wherein the location data corresponds to the key establishment service.

Abstract: The technology disclosed herein provides network bound encryption that enables a trusted execution environment to persistently store and access recovery data without persistently storing the decryption key.

Abstract: A system and method are provided for emulating a code sequence while compiling the code sequence into compiled operations for later execution of the code sequence. In one embodiment, the system includes an emulation model for executing operations and a compilation model for compiling operations. The emulation model may execute operations of the code sequence and the compilation model may compile the operations of the code sequence into compiled operations. The system may transfer execution of the operations from the emulation model to the compiled operations. In certain implementations, the transfer may include transferring flow information and program execution information. In further implementations, the transfer may occur after detecting that a current compilation level of the code sequence exceeds a compilation threshold.