Secure boot of virtualized computing instances

What is claimed is: 1 . A method, comprising: writing a wrapped data encryption key (DEK) and a wrapped key encryption key (KEK) onto a label of a wrapped operating system image prior to uploading the wrapped operating system image to a virtual data center; and wherein the method is performed by one or more computing devices. 2 . The method of claim 1 , further comprising: encrypting a system image under a data encryption key (DEK) to generate a wrapped system image; encrypting a data encryption key (DEK) under a key encryption key (KEK) to generate the wrapped DEK; and causing encrypting the KEK under an account root key to generate the wrapped KEK. 3 . The method of claim 1 , further comprising: generating, by the virtual data center, an encrypted machine image by merging the wrapped operating system image with an intermediary guest manager machine image; and launching, by the virtual data center, an instance based on the encrypted machine image. 4 . The method of claim 3 , wherein the launching the instance based on the encrypted machine image is based on: executing, by the virtual data center, an intermediary guest manager; sending, by the intermediary guest manager, a decryption request to a key management service that includes the wrapped KEK; receiving, by the intermediary guest manager, a response from the key management service that includes the KEK; unwrapping, by the intermediary guest manager, the wrapped DEK using the KEK to obtain the DEK; and booting up, by the intermediary guest manager, a guest operating system using the DEK. 5 . The method of claim 4 , wherein the intermediary guest manager does not store the KEK or the DEK in persistent storage of the virtual data center. 6 . The method of claim 4 , further comprising: generating, by the intermediary guest manager, a different data encryption key (DEK) for new root volume data produced during execution of the instance; generating, by the intermediary guest manager, a different key encryption key (KEK); and wrapping, by the intermediary guest manager, the DEK and the different DEK using the different KEK. 7 . The method of claim 4 , wherein the instance is launched with one or more data volumes and wherein the method further comprises: generating, by the intermediary guest manager, a data volume data encryption key (DEK) and a data volume key encryption key (KEK); wrapping, by the intermediary guest manager, the data volume DEK with the data volume KEK to produce a wrapped data volume data encryption key (DEK); sending, by the intermediary guest manager, an encryption request to the key management service to wrap the data volume KEK with an account root key; receiving, by the intermediary guest manager, a wrapped data volume key encryption key (KEK) that has been wrapped with the account root key from key management service; and writing, by the intermediary guest manager, the wrapped data volume DEK and the wrapped data volume KEK to the data volume. 8 . The method of claim 4 , wherein the generating the encrypted machine image is based on: booting up, by the virtual data center, a temporary instance from the intermediary guest manager machine image; mounting, by the intermediary guest manager, the wrapped operating system image as a guest drive of the intermediary guest manager; and storing a snapshot of the temporary instance as the encrypted machine image. 9 . A non-transitory computer-readable storage medium storing instructions which, when executed by one or more processors, cause: encrypting a system image under a data encryption key (DEK) to generate a wrapped operating system image; encrypting the DEK under a key encryption key (KEK) to generate a wrapped data encryption key (DEK); causing encrypting the KEK under an account root key to generate a wrapped key encryption key (KEK); and writing the wrapped DEK and the wrapped KEK onto a label of a wrapped operating system image prior to uploading the wrapped operating system image to a virtual data center. 10 . The non-transitory computer-readable storage medium of claim 9 , storing instructions which, when executed by one or more processors, further cause: generating, by the virtual data center, an encrypted machine image by merging the wrapped operating system image with an intermediary guest manager machine image; and launching, by the virtual data center, an instance based on the encrypted machine image. 11 . The non-transitory computer-readable storage medium of claim 10 , wherein the causing encrypting the KEK is based on: establishing a secure connection to a key management service; sending a request to wrap the KEK with the account root key to the key management service; and receiving the wrapped KEK that has been wrapped with the account root key from the key management service. 12 . The non-transitory computer-readable storage medium of claim 11 , wherein the launching the instance based on the encrypted machine image is based on: executing, by the virtual data center, an intermediary guest manager; sending, by the intermediary guest manager, a decryption request to a key management service that includes the wrapped KEK; receiving, by the intermediary guest manager, a response from the key management service that includes the KEK; unwrapping, by the intermediary guest manager, the wrapped DEK using the KEK to obtain the DEK; and booting up, by the intermediary guest manager, a guest operating system using the DEK. 13 . The non-transitory computer-readable storage medium of claim 12 , storing instructions which, when executed by one or more processors, cause: generating, by the intermediary guest manager, a different data encryption key (DEK) for new root volume data produced during execution of the instance; generating, by the intermediary guest manager, a different key encryption key (KEK); wrapping, by the intermediary guest manager, the DEK and the new DEK using the new KEK. 14 . The non-transitory computer-readable storage medium of claim 12 , wherein the instance is launched with one or more data volumes and wherein the non-transitory computer-readable medium stores instructions which, when executed by one or more processors, further cause: generating, by the intermediary guest manager, a data volume data encryption key (DEK) and a data volume key encryption key (KEK); wrapping, by the intermediary guest manager, the data volume DEK with the data volume KEK to produce a wrapped data volume data encryption key (DEK); sending, by the intermediary guest manager, an encryption request to the key management service to wrap the data volume KEK with the account root key; receiving, by the intermediary guest manager, a wrapped data volume key encryption key (KEK) that has been wrapped with the account root key from key management service; writing, by the intermediary guest manager, the wrapped data volume DEK and the wrapped data volume KEK to the data volume. 15 . The non-transitory computer-readable storage medium of claim 10 , wherein generating the encrypted machine image is based on: booting up, by the virtual data center, a temporary instance from the intermediary guest manager machine image; mounting, by the intermediary guest manager, the wrapped system image as a guest drive of the intermediary guest manager; storing a snapshot of the temporary instance as the encrypted machine image. 16 . A computer system, comprising: an on-premises device having one or more processors and storage media storing first instructions for execution by the one or more