Communications between various computing entities in an untrusted network are typically secured using Transport Layer Security (TLS) encryption, requiring public key infrastructure (PKI) support. PKI support may include public/private key pairs as well as signed digital certificates that are linked back to an entity trusted by both parties in the communication. Each computing entity or service component maintains its unique private key in secret, and any separate entity that becomes aware of the particular private key (i.e., if the private key is compromised) provides an attack surface into the computing entity's communications.
In a cloud environment, virtual machines may be transient and instances may be booted to scale with demand for the service provided by that virtual machine. Rather than manually provision each instance with an individual digital certificate, each instance of the virtual machine may be provided with PKI support by replicating the keys and certificate in the virtual machine image used to create each instance. Alternatively, some cloud environments may use a hardware based trust anchor.