Dynamic key management

What is claimed is: 1. An apparatus that is a key distribution handler, the apparatus comprising: a network interface to communicatively couple to a network, the network including a plurality of nodes respectively including workloads, each of the workloads including respective key agents, the respective key agents having generated respective key pairs for the respective workloads, the respective key agents having lifetimes substantially the same as the respective workloads; a processor implemented reception module arranged to: receive a notification from a new respective key agent on a new workload that key generation and application configuration to make use of a generated public/private key pair is complete, the new respective key agent having generated the public/private key pair, the generated key pair including a public key, the newly created workload being created by and assigned to a user in accordance with a policy: receive the public key in response to the notification from the new respective key agent; and assign the public key to the user, and a processor implemented distribution module arranged to distribute the public key, via the network interface, to a plurality of the respective key agents associated with a plurality of permitted workloads from the workloads operating on nodes in the network, wherein the public key is used to overwrite or delete prior public keys for an authenticated workload identity associated with the new workload, wherein the permitted workloads are assigned to the user and governed by the policy, and wherein the apparatus is a separate and distinct node from a node with the new respective key agent and nodes with the respective key agents. 2. The apparatus of claim 1 , further comprising: a display to display key distribution status with respect to the permitted workloads. 3. The apparatus of claim 1 , further comprising: a storage node to couple to the network and to store a map defining potential distribution locations for the public key within the network. 4. A system, comprising: a plurality of first nodes operating within a network, each of the first nodes comprising respective key agent to generate respective public/private key pairs in conjunction with creation of respective workloads operating on the network the respective key agents having lifetimes substantially the same as the respective workloads; and a second node that is separate and distinct from the plurality of first nodes, the second node being a key distribution handler, the second node comprising: a network interface to communicatively couple to the network; a processor implemented reception module, the reception module arranged to: receive a notification from a new respective key agent on a new workload that key generation and application configuration to make use of a generated public/private key pair are complete, the new respective key agent having generated the public/private key pair, the generated key pair including a public key, the newly created workload being created by and assigned to a user in accordance with a policy; receive the public key in response to the notification from the new respective key agent; and assign the public key to the user, and a processor implemented distribution module arranged to distribute the public key, via the network interface, to the associated key agents of the plurality of first nodes when distribution is permitted by a policy and whether the user is assigned to a respective workload of the plurality of first nodes, wherein the public key is used to overwrite or delete prior public keys for an authenticated workload identity that identifies the new workload. 5. The system of claim 4 , wherein the second node comprises a secure key vault to store the public key. 6. The system of claim 4 , wherein the second node comprises a workload orchestration service to control operation of the distribution module according to the policy and a map defining potential distribution locations for the public key, both within and outside of the network. 7. A processor-implemented method for a key distribution handler to execute on one or more processors that perform the method in a the network including a plurality of nodes respectively including workloads, each of the workloads including respective key agents, the respective key agents having generated respective key pairs for the respective workloads, the respective key agents having lifetimes substantially the same as the respective workloads, the method comprising: receiving a notification from a new respective key agent on a new workload that key generation and application configuration to make use of a generated public/private key pair are complete, the new respective key agent having generated the public/private key pair, the generated key pair including a public key, the newly created workload being created by and assigned to a user in accordance with a policy; receiving the public key in response to the notification from the new respective key agent; assigning the public key to the user; and distributing the public key to a plurality of respective key agents associated with a plurality of permitted workloads from the workloads operating on nodes in the network, wherein the public key is used to overwrite or delete prior public keys for an authenticated workload identity associated with the new workload, wherein the permitted workloads are assigned to the user and governed by the policy, and wherein the apparatus is a separate and distinct node from a node with the new respective key agent and nodes with the respective key agents. 8. The method of claim 7 , wherein the distributing further comprises: distributing the public key associated with the new workload comprising at least one of one of a virtual machine workload, a physical machine workload, or a workload configured to couple to the network. 9. The method of claim 7 , further comprising: requesting the respective key agents to remove corresponding records of the public key in response to a status of the new workload changing from trusted to removed, destroyed, or untrusted. 10. The method of claim 7 , wherein the distributing further comprises: distributing, by the key distribution handler, the public key to all other workload key agents associated with permitted workloads operating outside of the network. 11. The method of claim 7 , further comprising: creating a map to store a record of a relationship between the public key and the new workload. 12. The method of claim 11 , further comprising: accessing the map to determine potential workloads for the distributing, the potential workloads including all of the permitted workloads. 13. The method of claim 7 , wherein the respective key agents are associated with a user identity that is identical to a user identity associated with the new workload. 14. The method of claim 7 , wherein the olicy is a user olicy controlled by an enterprise policy when both policies are in use. 15. A processor-implemented method to execute on one or more processors that perform the method, comprising: receiving, from a key distribution handler, a newer public key associated with a public/private key pair assigned to a user by the key distribution handler, by an older key agent, of a plurality of older key agents, associated with an older workload, of a plurality of older workloads, operating within a network of nodes, the older key agent having a lifetime substantially the same as the older workload, the receiving to occur when transmission is permitted by a first policy governing key distribution for a newer w