Implementing a cryptography agent and a secure hardware-based enclave to prevent computer hacking of client applications

What is claimed is: 1 . A method, comprising: sending, by a cryptography agent to a secure server, a first token that is received from a client application; receiving, by the cryptography agent from the secure server, a second token that defines an application context associated with the client application; generating, by the cryptography agent, a public key and a private key for the client application; sealing, by the cryptography agent, the private key and the second token inside a secure enclave; receiving, by the cryptography agent, a third token that is generated within the secure enclave at least in part by encrypting information of the second token; sending, by the cryptography agent to the client application, the third token; sending, by the cryptography agent to the secure server, a request to fetch confidential information, the request containing the public key and the second token; receiving, by the cryptography agent from the secure server, the confidential information, the confidential information being encrypted by the public key; sealing, by the cryptography agent, the confidential information inside the secure enclave; receiving, by the cryptography agent from the client application, one or more operational commands along with the third token; validating, by the cryptography agent, the client application based on the received third token; and performing, in response to a successful validation of the client application, one or more operations according to the received one or more operational commands, the one or more operations being performed by the cryptography agent within the secure enclave. 2 . The method of claim 1 , wherein: the client application, the cryptography agent, and the secure enclave are executing on a same machine; the client application and the cryptography agent reside in an unencrypted portion of an electronic memory of the same machine; and the secure enclave resides in an encrypted portion of the electronic memory of the same machine. 3 . The method of claim 1 , further comprising: before the sending of the first token, registering the client application with the secure server, wherein the first token is received by the client application from the secure server as a part of the registering. 4 . The method of claim 1 , wherein the second token has a longer time duration than the first token. 5 . The method of claim 1 , wherein the application context comprises a set of policies, and wherein the method further comprises: determining, by the cryptography agent based on the set of policies, whether the client application is authorized to communicate with the secure server or authorized to perform one or more cryptographic operations. 6 . The method of claim 5 , further comprising: deleting, by the cryptography agent based on the set of policies, one or more keys previously granted to the client application by the secure server, wherein the one or more keys are stored on a machine on which the client application resides. 7 . The method of claim 1 , wherein: the secure enclave comprises one or more seal keys that are directly fused into hardware of a machine on which the secure enclave resides; and the sealing the private key and the second token comprises encrypting the private key and the second token using the one or more seal keys. 8 . The method of claim 1 , wherein the third token is generated at least in part by encrypting the second token with the public key. 9 . The method of claim 1 , wherein the confidential information comprises one or more cryptographic keys. 10 . The method of claim 1 , wherein none of the confidential information received by the cryptography agent from the secure server is in plain text format. 11 . The method of claim 1 , wherein: the secure enclave comprises one or more seal keys that are directly fused into hardware of a machine on which the secure enclave resides; and the sealing the confidential information comprises: decrypting the confidential information using the private key and encrypting the decrypted confidential information using the one or more seal keys. 12 . The method of claim 1 , wherein the one or more operational commands are in plain text format and comprise: encrypt, decrypt, sign, or verify. 13 . The method of claim 1 , wherein the validating comprises: decrypting the third token; decrypting the second token; comparing the decrypted third token and the decrypted second token; and performing the successful validation of the client application based on the comparing indicating that the decrypted third token matches the decrypted second token. 14 . A system, comprising: an enclave that resides in an encrypted portion of a computer server, the enclave storing one or more seal keys that are directly fused into hardware of the computer server; a client application that resides in an unencrypted portion of the computer server, wherein the client application is prevented from communicating directly with the enclave; and a cryptographic agent that resides in the unencrypted portion of the computer server and that is configured to communicate with the enclave on behalf of the client application, wherein the cryptographic agent is further configured to perform operations that includes: receiving, in response to a successful authentication of the client application by a server secure, an application context associated with the client application; generating a public key and a private key for the client application; sealing the private key and the application context within the enclave using the one or more seal keys; sending an encrypted version of the application context to the client application; sending, to the secure server, a first request to fetch information on behalf of the client application, the first request containing the public key and the application context; receiving, from the secure server, an encrypted version of the information, the information being encrypted by the public key; sealing the information within the enclave using the one or more seal keys; receiving a second request to perform one or more operations from the client application, the second request containing the encrypted version of the application context; validating the client application based on the received encrypted version of the application context; and performing, in response to a successful validation of the client application, the one or more operations within the enclave. 15 . The system of claim 14 , wherein the application context is received along with a set of policies, and wherein the operations further include: determining, based on the received set of policies, whether one or more keys previously granted to the client application and currently stored on the computer server should be revoked; and deleting the one or more keys from the computer server in response to a determination that the one or more keys should be revoked. 16 . The system of claim 14 , wherein the validating is performed at least in part by determining whether a content of the received encrypted version of the application context matches a content of the application context that is sealed within the enclave. 17 . The system of claim 14 , wherein the computer server is a first computer server, and wherein the system further comprises a second computer server that communicates with the cryptographic agent, but not directly with the client application or the enclave, to provide the application context and the information to the cryptographic agent.