Cryptlet binding key graph

I claim: 1. An apparatus, comprising: a device including at least one memory adapted to store run-time data for the device, and at least one processor that is adapted to execute processor-executable code that, in response to execution, enables the device to perform actions, including: identifying an enclave to be used for executing a cryptlet binary of a first cryptlet, wherein: the enclave is a secure execution environment for which results of a secure execution are capable of being attested to have run unaltered and in private, the enclave stores an enclave private key, and the first cryptlet is associated with at least a first counterparty and a second counterparty; generating a cryptlet binding that is associated with the first cryptlet, wherein the cryptlet binding includes counterparty information that is associated with at least the first counterparty; providing cryptlet binding information to a cryptlet binding key graph; receiving, from the cryptlet binding key graph, a first location of a first hardware security module (HSM) that stores a first key that is associated with the first counterparty, a first address of the first key being on a first network; and a second location of a second HSM that stores a second key that is associated with the second counterparty, a second address of the second key being on a second network, the second network being a private network that is separate from the first network; and initiating execution of the cryptlet binary within the enclave, and in which, based on execution of the cryptlet binary within the enclave, the first cryptlet executes smart contact logic associated with a first smart contract involving at least the first counterparty, generates a secret that enables resumption of the cryptlet binary, and persists secret to the first HSM. 2. The apparatus of claim 1 , wherein the actions further include dynamically establishing a secure encrypted communication tunnel between the enclave and the first HSM for securely transmitting the first key to the first cryptlet executing in the enclave. 3. The apparatus of claim 2 , wherein establishing the secure encrypted communication tunnel includes: deriving a session public/private enclave key pair, including a session enclave private key and a session enclave public key, from the enclave private key and an enclave public key; sending the session enclave public key to the first HSM; receiving, from the first HSM, a session HSM public key; encrypting additional information with the session enclave private key to generate encrypted additional information; sending the encrypted additional information to the first HSM; receiving further encrypted information from the first HSM; and decrypting the further encrypted information with the session enclave private key. 4. The apparatus of claim 1 , wherein the cryptlet binding key graph provides a multi-party registry for locating keys and their corresponding storage endpoints. 5. The apparatus of claim 1 , wherein the actions further include communicating the cryptlet binary, the cryptlet binding, and the first location of the first HSM to the enclave. 6. The apparatus of claim 1 , wherein the cryptlet binding information is the cryptlet binding. 7. The apparatus of claim 1 , wherein the first HSM is a key vault. 8. The apparatus of claim 1 , wherein the actions further include, after identifying the enclave, injecting a cryptlet container into the enclave. 9. The apparatus of claim 1 , wherein the enclave is a private, tamper-resistant execution environment that is secure from external interference. 10. The apparatus of claim 1 , wherein persistent storage of the first key that is associated with the first counterparty is not permitted outside of the first HSM. 11. A method, comprising: identifying an enclave to be used for executing a cryptlet binary of a first cryptlet, wherein: the enclave is a secure execution environment for which results of a secure execution are capable of being attested to have run unaltered and in private, the enclave stores an enclave private key, and the first cryptlet is associated with at least a first counterparty and a second counterparty; generating a cryptlet binding that is associated with the first cryptlet, wherein the cryptlet binding includes counterparty information that is associated with at least the first counterparty; providing cryptlet binding information to a cryptlet binding key graph; receiving, from the cryptlet binding key graph, a first location of a first hardware security module (HSM) that stores a first key that is associated with the first counterparty, a first address of the first key being on a first network; and a second location of a second HSM that stores a second key that is associated with the second counterparty, a second address of the second key being on a second network, the second network being a private network that is separate from the first network; and initiating execution of the cryptlet binary within the enclave, and in which, based on execution of the cryptlet binary within the enclave, the first cryptlet executes smart contact logic associated with a first smart contract involving at least the first counterparty, generates a secret that enables resumption of the cryptlet binary, and persists secret to the first HSM. 12. The method of claim 11 , further comprising dynamically establishing a secure encrypted communication tunnel between the enclave and the first HSM for securely transmitting the first key to the first cryptlet executing in the enclave. 13. The method of claim 12 , wherein establishing the secure encrypted communication tunnel includes: deriving a session public/private enclave key pair, including a session enclave private key and a session enclave public key, from the enclave private key and an enclave public key; sending the session enclave public key to the first HSM; receiving, from the first HSM, a session HSM public key; encrypting additional information with the session enclave private key to generate encrypted additional information; sending the encrypted additional information to the first HSM; receiving further encrypted information from the first HSM; and decrypting the further encrypted information with the session enclave private key. 14. The method of claim 11 , wherein the cryptlet binding key graph provides a multi-party registry for locating keys and their corresponding storage endpoints. 15. The method of claim 11 , further comprising communicating the cryptlet binary, the cryptlet binding, and the first location of the first HSM to the enclave. 16. The method of claim 11 , wherein the cryptlet binding information is the cryptlet binding. 17. The method of claim 11 , wherein the first HSM is a key vault. 18. A processor-readable storage medium, having stored thereon processor-executable code that, upon execution by at least one processor, enables actions, comprising: identifying an enclave to be used for executing a cryptlet binary of a first cryptlet, wherein: the enclave is a secure execution environment for which results of a secure execution are capable of being attested to have run unaltered and in private, the enclave stores an enclave private key, and the first cryptlet is associated with at least a first counterparty and a second counterparty; generating a cryptlet binding that is associated with the first cryptlet, wherein the cryptlet binding includes counterparty information that is associated with at least the first counterparty; providing cryptlet