Electronic data security has become an area of great focus for development as more daily transactions become computerized. Computing devices are constantly being utilized to exchange financial data, personal identification data, etc. As a result, hackers may attempt to compromise computing devices to gain access to this valuable information. For example, malicious software (e.g., malware) may be loaded to passively or actively attack computing devices. Passive attacks may comprise malware observing data being passed between a processor and a memory to obtain passwords or other sensitive or confidential data. Active attacks may involve altering data stored in memory to trigger an atypical result such as allowing an unpermitted user to gain access to the computing device. In either instance, plaintext (unencrypted) data in the memory of a computing device, that is exchanged with a processor in the computing device, etc. is a major vulnerability.
Virtualized computing environments may offer some inherent protection from the above attacks. For example, a virtualized device may comprise at least one virtual machine (VM). The VM is a software-based execution environment that emulates actual device hardware. Each VM may emulate multiple physical devices within a single device. An example implementation may include a virtual machine manager (VMM) or “hypervisor” to control at least one “trusted” VM or trusted execution environment (TEE) and at least one untrusted VM. The TEE may provide a protected environment in which software may execute without being exposed to potential attacks from malicious software (malware), etc. While a TEE may offer strong protection, it may not be feasible to execute operational software for an entire device from within the TEE. This exposes other potential points of attack (e.g., attack vectors) that make up an attack surface for the device. Hardware and software developers seek to better protect devices by reducing the attack surface. One manner in which this may be accomplished is by encrypting more of the data in the device, possibly using different encryption systems. However, encrypting a piece of data utilizing more than one encryption system may generate processing overhead that impacts device performance.
Although the following Detailed Description will proceed with reference being made to illustrative embodiments, many alternatives, modifications and variations thereof will be apparent to those skilled in the art.