System and method for managing secret information using virtualization

What is claimed is: 1. A method for managing secret information for virtual entities in a distributed computer system, the method comprising: generating secret information for a virtual entity, wherein the virtual entity is to be hosted in a host computer in the distributed computer system; partitioning the secret information into a plurality of secret pieces using a secret sharing scheme, wherein the secret sharing scheme includes a (k, n)-threshold secret sharing scheme, where n is equal to the number of parties that will be holding the secret pieces and k is the number of secret pieces that are needed to derive the secret information; distributing at least one piece of the secret information to multiple secret storage service entities, including distributing at least one of the secret pieces to each host computer in a group of host computers in the distributed computer system and to the virtual entity; deploying the virtual entity on the host computer; providing the secret information to the virtual entity, by the host computer, for consumption by the virtual entity using the at least one piece of the secret information from one of the multiple secret storage service entities, wherein the secret information is stored on the host computer; and erasing the secret information from the host computer on which the virtual entity is deployed. 2. The method of claim 1 , wherein distributing at least one piece of the secret information to multiple secret storage service entities includes distributing the entire secret information to the multiple secret storage service entities. 3. The method of claim 1 , wherein providing the secret information to the virtual entity for consumption includes requesting the secret information from one of the multiple secret storage service entities by the host computer, and transmitting the secret information from that secret storage service entity to the host computer in response to the request. 4. The method of claim 1 , further comprising: migrating the virtual entity from the host computer to another host computer in the distributed computer system; and providing the secret information to the virtual entity on the another host computer using the at least one piece of the secret information from one of the multiple secret storage service entities. 5. The method of claim 1 , wherein the (k, n)-threshold secret sharing scheme is a (2, n)-threshold secret sharing scheme so that at least two of the secret pieces are needed to derive the secret information. 6. The method of claim 1 , wherein providing the secret information to the virtual entity for consumption includes deriving the secret information using the secret piece from the virtual entity and the secret piece from the host computer. 7. The method of claim 1 , further comprising: migrating the virtual entity from the host computer to another host computer in the distributed computer system; deriving the secret information using the secret piece from the virtual entity and the secret piece from the another host computer; and providing the secret information to the virtual entity on the another host computer. 8. A non-transitory computer-readable storage medium containing program instructions for managing secret information for virtual entities in a distributed computer system, wherein execution of the program instructions by one or more processors of a computer system causes the one or more processors to perform steps comprising: generating secret information for a virtual entity to be hosted in a host computer in the distributed computer system; partitioning the secret information into a plurality of secret pieces using a secret sharing scheme, wherein the secret sharing scheme includes a (k, n)-threshold secret sharing scheme, where n is equal to the number of parties that will be holding the secret pieces and k is the number of secret pieces that are needed to derive the secret information; distributing at least one piece of the secret information to multiple secret storage service entities, including distributing at least one of the secret pieces to each host computer in a group of host computers in the distributed computer system and to the virtual entity; deploying the virtual entity on the host computer; providing the secret information to the virtual entity, by the host computer, for consumption using the at least one piece of the secret information from one of the multiple secret storage service entities, wherein the secret information is stored on the host computer; and erasing the secret information from the host computer on which the virtual entity is deployed. 9. The computer-readable storage medium of claim 8 , wherein distributing at least one piece of the secret information to multiple secret storage service entities includes distributing the entire secret information to the multiple secret storage service entities. 10. The computer-readable storage medium of claim 8 , wherein providing the secret information to the virtual entity for consumption includes requesting the secret information from one of the multiple secret storage service entities by the host computer, and transmitting the secret information from that secret storage service entity to the host computer in response to the request. 11. The computer-readable storage medium of claim 8 , wherein the steps further comprise: migrating the virtual entity from the host computer to another host computer in the distributed computer system; and providing the secret information to the virtual entity on the another host computer using the at least one piece of the secret information from one of the multiple secret storage service entities. 12. The computer-readable storage medium of claim 8 , wherein the (k, n)-threshold secret sharing scheme is a (2, n)-threshold secret sharing scheme so that at least two of the secret pieces are needed to derive the secret information. 13. The computer-readable storage medium of claim 8 , wherein providing the secret information to the virtual entity for consumption includes deriving the secret information using the secret piece from the virtual entity and the secret piece from the host computer. 14. The computer-readable storage medium of claim 8 , wherein the steps further comprise: migrating the virtual entity from the host computer to another host computer in the distributed computer system; deriving the secret information using the secret piece from the virtual entity and the secret piece from the another host computer; and providing the secret information to the virtual entity on the another host computer. 15. A distributed computer system comprising: a plurality of host computers with memories and processors; and a plurality of virtual entities hosted on at least some of the host computers, each of the virtual entities being assigned secret information; wherein at least one of the host computers is configured to partition the secret information for each of the virtual entities into a plurality of secret pieces using a secret sharing scheme, wherein the secret sharing scheme includes a (k, n)-threshold secret sharing scheme, where n is equal to the number of parties that will be holding the secret pieces and k is the number of secret pieces that are needed to derive the secret information, and wherein at least one of the secret pieces of each secret information is distributed to each of the host computers and to the virtual entity to which that secret information is assigned, and wherein at least one of the host computers is configured to provide the secret information of the particular virtual entity depl