Secure cryptlet tunnel

We claim: 1 . An apparatus for secure transactions, comprising: a device including at least one memory adapted to store run-time data for the device, and at least one processor that is adapted to execute processor-executable code that, in response to execution, enables the device to perform actions, including: storing, in an enclave, an enclave key pair including an enclave private key and an enclave public key, wherein the enclave is a secure execution environment; registering the enclave as a member of an enclave pool; establishing and using a secure encrypted communication tunnel between the enclave and a hardware security module (HSM), including: deriving a session public/private enclave key pair, including a session enclave private key and a session enclave public key, from the enclave key pair; sending the session enclave public key to the HSM; receiving, from the HSM, a session HSM public key; encrypting additional information with the session enclave private key; sending the encrypted additional information to the HSM; receiving further encrypted information from the HSM; and decrypting the further encrypted information with the session enclave private key; receiving, from a cryptlet fabric configured to manage the enclave pool, cryptlet code; executing the cryptlet code in the enclave; and signing a payload of the cryptlet code with the enclave private key. 2 . The apparatus of claim 1 , wherein the further encrypted information includes a key chain, wherein the key chain include a cryptlet public key and a cryptlet private key, and wherein the action further include at least one of signing or encrypting the payload of the cryptlet code with the cryptlet private key. 3 . The apparatus of claim 1 , wherein receiving, from the HSM, the session HSM public key, is accomplished via an intermediary device that operates as a broker. 4 . The apparatus of claim 1 , wherein the further encrypted information includes at least one other private key. 5 . The apparatus of claim 1 , wherein the HSM has persistent storage. 6 . The apparatus of claim 1 , wherein the further encrypted information includes an encrypted user key. 7 . The apparatus of claim 1 , wherein the HSM is a key vault. 8 . The apparatus of claim 1 , the actions further comprising creating a new key in the enclave, and wherein the additional information includes the new key. 9 . The apparatus of claim 1 , wherein the enclave is a private, tamper-resistant execution environment that is secure from external interference. 10 . The apparatus of claim 1 , wherein the enclave is at least one of a Virtual Secure Machine or a secure hardware enclave. 11 . The apparatus of claim 1 , wherein the enclave is a secure execution environment in which code can be run in an isolated, private environment and for which results of the secure execution are capable of being attested to have run unaltered and in private. 12 . The apparatus of claim 1 , wherein the enclave is a hardware enclave, and wherein the enclave private key of the enclave is etched in silicon. 13 . A method, comprising: receiving, from a cryptlet fabric configured to manage an enclave pool that includes a first enclave, cryptlet code; generating a session enclave key pair from an enclave key pair, wherein the enclave key pair includes an enclave private key and an enclave public key, and wherein the session enclave key pair includes a session enclave private key and a session enclave public key; communicating the session enclave public key to a hardware security module (HSM); receiving, from the HSM, a session HSM public key; encrypting additional information with the session HSM public key; and communicating the encrypted additional information to the HSM. 14 . The method of claim 13 , further comprising: receiving, from the HSM, a session HSM public key; receiving further encrypted information from the HSM; decrypting the further encrypted information with the session enclave private key; and executing the cryptlet code in the first enclave. 15 . The method of claim 13 , further comprising: signing a payload of the cryptlet code with the enclave private key. 16 . The method of claim 13 , wherein the further encrypted information includes at least a cryptlet key pair. 17 . The method of claim 13 , further comprising creating a new key in the enclave, and wherein the additional information includes the new key. 18 . A processor-readable storage medium, having stored thereon process-executable code that, upon execution by at least one processor, enables actions, comprising: establishing and using a secure encrypted communication channel between an enclave and a hardware security module (HSM), including: deriving a session enclave key pair from an enclave key pair, wherein the enclave key pair includes an enclave private key and an enclave public key, and wherein the session key pair includes a session enclave private key and a session enclave public key; sending the session enclave public key to the HSM; receiving, from the HSM, a session HSM public key; encrypting additional information with the session HSM public key; sending the encrypted additional information to the HSM; receiving further encrypted information from the HSM; and decrypting the further encrypted information with the session enclave private key; and signing a payload of the enclave with the enclave private key. 19 . The processor-readable storage medium of claim 18 , the actions further comprising: registering the enclave as a member of an enclave pool; receiving, from a cryptlet fabric configured to manage the enclave pool, cryptlet code; and executing the cryptlet code in the enclave. 20 . The processor-readable storage medium of claim 18 , wherein the further encrypted information includes at least a cryptlet key pair.