Secure key management protocol for distributed network encryption

What is claimed is: 1. A method of providing encryption keys in a system comprising a plurality of host computers, the method comprising: at a key manager separate from the host computers: receiving, from a plurality of host computers, a plurality of key vouchers each (i) authenticating the host computer that provided the key voucher as an authorized key requestor and (ii) provided to the host computer by a set of one or more servers to authenticate the host computer to the key manager; using the key voucher of each host computer to authenticate the host computer as an authorized key requestor; and sending, to each host computer, an encryption key associated with the key voucher provided by the host computer, each host computer to use the sent key to encrypt data messages sent by a machine executing on the host computer. 2. The method of claim 1 , wherein each key voucher from a host computer comprises an identifier for identifying the encryption key to send to the host computer. 3. The method of claim 1 , wherein using the key voucher comprises verifying that a server that generated the key voucher was authorized to generate the key voucher. 4. The method of claim 3 , wherein verifying that the server that generated the key voucher was authorized to generate the key voucher comprises using a certificate of the server received during a registration process. 5. The method of claim 1 , wherein using the key voucher comprises verifying that an encryption key identified in the key voucher has not expired. 6. The method of claim 5 , wherein the expiration of the identified encryption key is specified in a key policy for the identified encryption key, is based on the length of time the key has been in use, or is based on the amount of data the encryption key has been used to encrypt. 7. The method of claim 1 , wherein: each of the plurality of host computers execute a set of machines; the set of servers comprise controllers for configuring processing of the data messages sent by the machines; and the key manager is provided by a third party separate from administrators that manage the set of servers. 8. The method of claim 1 , wherein the set of servers provides a set of encryption rules to each of the plurality of host computers to encrypt data messages sent by machines executing on the host computers. 9. The method of claim 8 , wherein: each encryption rule refers to a key policy; and each key voucher is generated based on a key policy associated with a particular key identifier (KID) that identifies an encryption key for encrypting data messages according to the corresponding encryption rule. 10. The method of claim 8 , wherein: each encryption rule refers to a key policy; and each key voucher is generated based on a key policy that specifies a key identifier to identify an encryption key to use for the encryption rule. 11. A method of configuring a system to provide encryption services in a system comprising a plurality of host computers, the method comprising: receiving an encryption key policy from a set of one or more manager servers; generating, for a plurality of encryptors executing on a plurality of host computers, a key voucher based on the received encryption key policy; and sending the generated key voucher to the plurality of encryptors to use to retrieve, from a key manager external to the host computers, an encryption key identified by the key voucher for performing encryption operations on data messages sent and received by a set of machines executing on the plurality of host computers. 12. The method of claim 11 further comprising: receiving an encryption rule from the set of manager computers; and distributing the received encryption rule to a set of encryptors executing on a set of host computers, a particular encryptor using the encryption rule to determine that a data message sent from a machine executing on the encryptor's host computer requires encryption. 13. The method of claim 12 , wherein the encryption rule refers to a key policy to identify an encryption key used to encrypt data messages that require encryption based on the encryption rule. 14. The method of claim 12 , wherein determining that a data message requires encryption comprises determining that a data message should have an integrity check value appended. 15. The method of claim 11 , wherein generating a key voucher comprises generating a set of key vouchers, each key voucher in the set of key vouchers comprising a unique pair of security parameter indices (SPIs) and key identifiers (KIDs). 16. The method of claim 11 wherein the key voucher includes at least one of a key identifier, a host identifier, an expiry for the key voucher, and a signature. 17. The method of claim 11 , wherein each encryptor retrieves an encryption key by sending a request with a key voucher to the key manager. 18. A non-transitory machine readable medium storing a program which when executed by at least one processing unit configures a system to provide encryption services in a system comprising a plurality of host computers, the program comprising sets of instructions for: receiving an encryption key policy from a set of one or more manager servers; generating, for a plurality of encryptors executing on a plurality of host computers, a key voucher based on the received encryption key policy; and sending the generated key voucher to the plurality of encryptors to use to retrieve, from a key manager external to the host computers, an encryption key identified by the key voucher for performing encryption operations on data messages sent and received by a set of machines executing on the plurality of host computers. 19. The non-transitory machine readable medium of claim 18 , the program further comprises sets of instructions for: receiving an encryption rule from the set of manager computers; and distributing the received encryption rule to a set of encryptors executing on a set of host computers, a particular encryptor using the encryption rule to determine that a data message sent from a machine executing on the encryptor's host computer requires encryption. 20. The non-transitory machine readable medium of claim 19 , wherein the encryption rule refers to a key policy to identify an encryption key used to encrypt data messages that require encryption based on the encryption rule.