Encryption key management using distributed storage of encryption-key fragments

What is claimed is: 1. A computer-implemented method, the method comprising: encrypting a data object using an encryption key, the data object being associated with a data-object identifier that identifies the data object; dividing the encryption key into a first number, n, of encryption-key fragments according to an algorithm that enables reconstruction of the encryption key from a second number, k, of the encryption-key fragments, k being less than or equal to n; and transmitting store requests to store different ones of the encryption-key fragments to different computer memory storage systems, each of the different computer memory storage systems having a unique identifier, each request to store an encryption-key fragment comprising: at least one of the encryption-key fragments; a name assigned to the at least one of the encryption key fragments included in the request, the name based upon a combination of the unique identifier for the computer memory storage system that is requested to store the least one of the encryption key fragments included in the request and the data object identifier, wherein retrieval of the at least one of the encryption key fragments of the request is based upon use of the name; and an access control hallmark for regulating access to the encryption-key fragment. 2. The method of claim 1 further comprising: store requests, transmitting retrieve requests to retrieve the encryption-key fragments from the computer memory storage systems, each retrieve request bearing the access control hallmark; responsive to the retrieve requests, receiving at least k of the encryption-key fragments; and reconstructing the encryption key from the at least k received encryption-key fragments. 3. A computer-implemented method, the method comprising: encrypting a data object using an encryption key, the data object being associated with a data-object identifier that identifies the data object; dividing the encryption key into a first number, n, of encryption-key fragments according to an algorithm that enables reconstruction of the encryption key from a second number, k, of the encryption-key fragments, k being less than or equal to n; and transmitting store requests to store different ones of the encryption-key fragments to different computer memory storage systems, each request to store an encryption-key fragment including, at least one of the encryption-key fragments, a data-center-specific data-object identifier for identifying the data object to a service center, different store requests including different respective data-center-specific data-object identifiers, an access control hallmark for regulating access to the encryption-key fragment; store requests, transmitting retrieve requests to retrieve the encryption-key fragments from the computer memory storage systems, each retrieve request bearing the access control hallmark; responsive to the retrieve requests, receiving at least k of the encryption-key fragments; reconstructing the encryption key from the at least k received encryption-key fragments; and receiving a data-object request to access the data object, wherein the transmitting of retrieve requests further includes: determining that the data object is related to other encrypted data objects associated with other corresponding identifiers and for which encryption-key fragments have been distributed to the computer memory storage systems; and as a consequence of having received the data-object request and having determined that the data object is related to the other encrypted data objects and without yet having received requests to access the other encrypted data objects, transmitting retrieve requests to retrieve encryption-key fragments corresponding to the identifiers associated with the other encrypted data objects from the computer memory storage systems, each retrieve request bearing an access control hallmark that matches an access control hallmark made in a respective store request so as to demonstrate authorization to access the respective encryption-key fragment. 4. The method of claim 1 wherein dividing the encryption key into n encryption-key fragments according to an algorithm that enables reconstruction of the encryption key from k of the encryption-key fragments includes dividing the encryption key into n encryption-key fragments according to a secret sharing algorithm that enables reconstruction of the encryption key from k of the encryption-key fragments, k being less than n. 5. The method of claim 1 wherein dividing the encryption key into n encryption-key fragments according to an algorithm that enables reconstruction of the encryption key from k of the encryption-key fragments includes dividing the encryption key into n encryption-key fragments according to an erasure coding algorithm that enables reconstruction of the encryption key from k of the encryption-key fragments, k being less than n. 6. The method of claim 1 , wherein the name is generated by applying a hashing algorithm to a combination of the identifier associated with the data object and the unique identifier for the computer memory storage system that is being requested to store the at least one of the encryption key fragments. 7. The method of claim 1 wherein transmitting, to the computer memory storage systems, requests to store the encryption-key fragments that bear access control hallmarks for controlling access to the encryption-key fragment includes: generating the requests to store the encryption-key fragments at a computing system; signing the requests to store the encryption-key fragments using a private key associated with the computing system; and transmitting the signed requests to store the encryption-key fragments to the computer memory storage systems. 8. The method of claim 1 wherein the identifier associated with the data object is a uniform resource identifier (URI) such that transmitting, to the computer memory storage systems, requests to store the encryption-key fragments that include indications of the identifier associated with the data object comprises transmitting, to the computer memory storage systems, requests to store the encryption-key fragments that include indications of the URI associated with the data object. 9. The method of claim 1 wherein the different computer memory storage systems comprise different data centers that are different from and physically remote from each other such that transmitting requests to store different ones of the encryption-key fragments to different computer memory storage systems includes transmitting requests to store different ones of the encryption-key fragments to different data centers that are different from and physically remote from each other. 10. The method of claim 9 wherein transmitting requests to store different ones of the encryption-key fragments to different data centers that are different from and physically remote from each other comprises transmitting n different requests to store an individual one of the encryption-key fragments to n different data centers, each request to store an encryption-key fragment including a different one of the n encryption-key fragments. 11. The method of claim 9 further comprising: storing the encryption key in a transient computer memory storage system; after transmitting the requests to store the encryption-key fragments to the different data centers: receiving, from some number of data centers to which requests to store encryption-key fragments were transmitted, confirmations that the corresponding encryption-key fragments have been stored, determining that confirmations, that the corresponding encryption-key fragments have been store