System and method for managing secret information using virtualization

What is claimed is: 1 . A method for managing secret information for virtual entities in a distributed computer system, the method comprising: generating secret information for a virtual entity wherein the virtual entity is hosted in a host computer in the distributed computer system; distributing at least one piece of the secret information to multiple secret storage service entities; deploying the virtual entity on the host computer; providing the secret information to the virtual entity, by the host computer, for consumption by the virtual entity using the at least one piece of the secret information from one of the multiple secret storage service entities, wherein the secret information is stored on the host computer; and erasing the secret information from the host computer. 2 . The method of claim 1 , wherein distributing at least one piece of the secret information to multiple secret storage service entities includes distributing the entire secret information to the multiple secret storage service entities. 3 . The method of claim 1 , wherein providing the secret information to the virtual entity for consumption includes requesting the secret information from one of the multiple secret storage service entities by the host computer, and transmitting the secret information from that secret storage service entity to the host computer in response to the request. 4 . The method of claim 1 , further comprising: migrating the virtual entity from the host computer to another host computer in the distributed computer system; and providing the secret information to the virtual entity on the another host computer using the at least one piece of the secret information from one of the multiple secret storage service entities. 5 . The method of claim 1 , further comprising partitioning the secret information into a plurality of secret pieces using a secret sharing scheme, and wherein distributing at least one piece of the secret information to the multiple secret storage service entities includes distributing at least one of the secret pieces to each host computer in a group of host computers in the distributed computer system and to the virtual entity. 6 . The method of claim 5 , wherein the secret sharing scheme includes a (k, n)-threshold secret sharing scheme, where n is equal to the number of parties that will be holding the secret pieces and k is the number of secret pieces that are needed to derive the secret information. 7 . The method of claim 6 , wherein the (k, n)-threshold secret sharing scheme is a (2, n)-threshold secret sharing scheme so that at least two of the secret pieces are needed to derive the secret information. 8 . The method of claim 5 , wherein providing the secret information to the virtual entity for consumption includes deriving the secret information using the secret piece from the virtual entity and the secret piece from the host computer. 9 . The method of claim 5 , further comprising: migrating the virtual entity from the host computer to another host computer in the distributed computer system; deriving the secret information using the secret piece from the virtual entity and the secret piece from the another host computer; and providing the secret information to the virtual entity on the another host computer. 10 . A computer-readable storage medium containing program instructions for managing secret information for virtual entities in a distributed computer system, wherein execution of the program instructions by one or more processors of a computer system causes the one or more processors to perform steps comprising: generating secret information for a virtual entity to be hosted in a host computer in the distributed computer system; distributing at least one piece of the secret information to multiple secret storage service entities; deploying the virtual entity on the host computer; providing the secret information to the virtual entity, by the host computer, for consumption using the at least one piece of the secret information from one of the multiple secret storage service entities, wherein the secret information is stored on the host computer; and erasing the secret information from the host computer. 11 . The computer-readable storage medium of claim 10 , wherein distributing at least one piece of the secret information to multiple secret storage service entities includes distributing the entire secret information to the multiple secret storage service entities. 12 . The computer-readable storage medium of claim 10 , wherein providing the secret information to the virtual entity for consumption includes requesting the secret information from one of the multiple secret storage service entities by the host computer, and transmitting the secret information from that secret storage service entity to the host computer in response to the request. 13 . The computer-readable storage medium of claim 10 , wherein the steps further comprise: migrating the virtual entity from the host computer to another host computer in the distributed computer system; and providing the secret information to the virtual entity on the another host computer using the at least one piece of the secret information from one of the multiple secret storage service entities. 14 . The computer-readable storage medium of claim 10 , wherein the steps further comprise partitioning the secret information into a plurality of secret pieces using a secret sharing scheme, and wherein distributing at least one piece of the secret information to the multiple secret storage service entities includes distributing one of the secret pieces to each host computer in a group of host computers in the distributed computer system and to the virtual entity. 15 . The computer-readable storage medium of claim 14 , wherein the secret sharing scheme includes a (k, n)-threshold secret sharing scheme, where n is equal to the number of parties that will be holding the secret pieces and k is the number of secret pieces that are needed to derive the secret information. 16 . The computer-readable storage medium of claim 15 , wherein the (k, n)-threshold secret sharing scheme is a (2, n)-threshold secret sharing scheme so that at least two of the secret pieces are needed to derive the secret information. 17 . The computer-readable storage medium of claim 14 , wherein providing the secret information to the virtual entity for consumption includes deriving the secret information using the secret piece from the virtual entity and the secret piece from the host computer. 18 . The computer-readable storage medium of claim 14 , wherein the steps further comprise: migrating the virtual entity from the host computer to another host computer in the distributed computer system; deriving the secret information using the secret piece from the virtual entity and the secret piece from the another host computer; and providing the secret information to the virtual entity on the another host computer. 19 . A distributed computer system comprising: a plurality of host computers; and a plurality of virtual entities hosted on at least some of the host computers, each of the virtual entities being assigned secret information; wherein at least one piece of the secret information for each of the virtual entities is stored on more than one of the host computers, and wherein at least one of the host computers is configured to provide the secret information of a particular virtual entity deployed on that host computer using the at lea