Multi-phase protection for data-centric objects

What is claimed is: 1. A system for protection for data objects based on physical location, the system comprising: a computing environment including a first computing system, a second computing system, an authentication system, and a data storage device in communication with one another, wherein: the first computing system is disposed at a first location and includes a first hardware security module containing a first master key that acts as a wrapping key for protecting a first set of decryption keys; the second computing system is disposed at a second location and includes a second hardware security module containing a second master key that acts as a wrapping key for protecting a second set of decryption keys; the first set of decryption keys being determined based on the first location; and the second set of decryption keys being determined based on the second location, wherein the authentication system controls user access to the first computing system and the second computing system, wherein the first computing system is configured to receive encrypted data from an authenticated user at the first location, wherein the encrypted data includes embedded information about a data encryption key used to encrypt the encrypted data; and wherein the first set of decryption keys are configured to unlock a keystore of the first computing system, wherein the keystore that includes a hierarchy of keys, which are each used to decrypt data objects that were encrypted by the data storage system. 2. The system of claim 1 , wherein the first set of decryption keys are configured to decrypt a first subset of encrypted data objects in the data storage device. 3. The system of claim 2 , wherein the second set of decryption keys are configured to decrypt a second subset of encrypted data objects in the data storage device and wherein the first subset is different from the second subset. 4. The system of claim 1 , wherein the first computing system is further configured to decrypt the encrypted data based on a determination that the data encryption key corresponds to one of the first set of decryption keys. 5. A method for protecting data objects in a computing environment based on physical location, the method comprising: receiving, by a computing system of the computing environment, a request to access an encrypted data from an authenticated user, wherein the encrypted data includes information about a data encryption key used to encrypt the encrypted data; providing, by the computing system, the encrypted data to the computer system where the user was authenticated, the computer system including a set of decryption keys protected by a master key stored within a hardware security module, wherein the set of decryption keys are determined based on associated with the location of the hardware security module; decrypting, by the hardware security module, the encrypted data based on a determination that the data encryption key corresponds to one of the set of decryption keys, wherein the set of decryption keys are determined based on the location of the hardware security module, wherein the computing system is configured to receive encrypted data from the authenticated user, wherein the encrypted data includes embedded information about a data encryption key used to encrypt the encrypted data; and wherein the set of decryption keys are configured to unlock a keystore of the computing system, wherein the keystore that includes a hierarchy of keys, which are each used to decrypt data objects that were encrypted. 6. The method of claim 5 , wherein the authenticated user is authenticated by an authentication system of the computing environment that is configured to verify an identity of a user of the computer system. 7. The method of claim 5 , wherein the master key is unique to the hardware security module. 8. The method of claim 5 , wherein the set of decryption keys are configured to decrypt a subset of encrypted data objects in a data storage device of the computing environment. 9. The method of claim 5 , further comprising denying access to the encrypted data based on a determination that the data encryption key does not correspond to one of the set of decryption keys. 10. The method of claim 5 , wherein an identification of the hardware security module associated with the location includes determining one or more attributes of the authenticated user. 11. The method of claim 5 , wherein the one or more attributes of the authenticated user include one or more of a physical location of the authenticated user, an access group of the authenticated user, and an organizational role of the authenticated user. 12. A computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a processor to cause the processor to perform operations comprising: receiving, by a computing system of the computing environment, a request to access an encrypted data from an authenticated user, wherein the encrypted data includes information about a data encryption key used to encrypt the encrypted data; providing, by the computing system, the encrypted data to the computer system where the user was authenticated, the computer system including a set of decryption keys protected by a master key stored within a hardware security module, wherein the set of decryption keys are determined based on associated with the location of the hardware security module; decrypting, by the hardware security module, the encrypted data based on a determination that the data encryption key corresponds to one of the set of decryption keys, wherein the set of decryption keys are determined based on the location of the hardware security module, wherein the computing system is configured to receive encrypted data from the authenticated user, wherein the encrypted data includes embedded information about a data encryption key used to encrypt the encrypted data; and wherein the set of decryption keys are configured to unlock a keystore of the computing system, wherein the keystore that includes a hierarchy of keys, which are each used to decrypt data objects that were encrypted. 13. The computer program product of claim 12 , wherein the authenticated user is authenticated by an authentication system of the computing environment configured to verify an identity of a user of the computer system. 14. The computer program product of claim 12 , wherein the master key is unique to the hardware security module. 15. The computer program product of claim 12 , wherein the set of decryption keys are configured to decrypt a subset of encrypted data objects in a data storage device of the computing environment. 16. The computer program product of claim 12 , wherein the operations further comprise denying access to the encrypted data based on a determination that the data encryption key does not correspond to one of the set of decryption keys. 17. The computer program product of claim 12 , wherein an identification of the hardware security module associated with the location includes determining one or more attributes of the authenticated user. 18. The computer program product of claim 12 , wherein the one or more attributes of the authenticated user include one or more of a physical location of the authenticated user, an access group of the authenticated user, and an organizational role of the authenticated user.