Secure data synchronization

What is claimed is: 1. One or more computer-readable hardware storage media storing computer-readable instructions which are executable to perform operations comprising: receiving at a device and via a network encrypted data from a first external data storage in response to a user of the device logging on to a user account associated with the first external data storage; receiving a request from an application that resides on the device that the encrypted data be decrypted; requesting that sensitive data from the device be encrypted before the sensitive data is stored on the first external data storage; receiving via the network one or more security keys from a second external data storage that is separate from the first external data storage, the one or more security keys being received in response to a separate authentication procedure that enables access to the second external data storage; decrypting the encrypted data using a decryption key from the one or more security keys received from the second external data storage; encrypting the sensitive data using an encryption key from the one or more security keys received from the second external data storage to generate encrypted sensitive data; and marking the encrypted sensitive data with an application identifier associated with the application that resides on the device to grant access to the encrypted sensitive data to one or more applications having an associated application identifier that matches the application identifier used to mark the encrypted sensitive data, the application identifier associated with the application including a same identifier that is associable with multiple instances of the application across multiple devices. 2. The one or more computer-readable hardware storage media of claim 1 , wherein one or more of the second external data storage or the first external data storage are implemented as part of a cloud computing system. 3. The one or more computer-readable hardware storage media of claim 1 , wherein the sensitive data comprises user credentials that are usable to access one or more resources associated with the user of the device. 4. The one or more computer-readable hardware storage media of claim 1 , wherein the operations include enabling the encrypted sensitive data from the device to be synchronized with at least one other device such that application states for the application on the device and an additional application on the at least one other device are synchronized. 5. The one or more computer-readable hardware storage media of claim 1 , wherein the operations include submitting the encrypted sensitive data marked with the application identifier for communication to the first external data storage. 6. The one or more computer-readable hardware storage media of claim 1 , wherein the operations include: receiving a request to access the encrypted sensitive data from a requesting application; and allowing the requesting application to access the encrypted sensitive data if an application identifier associated with the requesting application matches the application identifier used to mark the encrypted sensitive data. 7. The one or more computer-readable hardware storage media of claim 1 , wherein the operations include: receiving an indication that a trusted status of the device has been revoked; and responsive to receiving said indication, preventing the device from receiving one or more additional security keys. 8. A method comprising: marking encrypted data with an application identifier for an application executing on a device to grant access to the encrypted data to one or more applications having an application identifier that matches the application identifier used to mark the encrypted data, the application identifier for the application including a same application identifier that is associable with multiple instances of the application across multiple devices; receiving, from the application executing on the device, a request for the encrypted data; ascertaining whether the application identifier for the application matches the application identifier used to mark the encrypted data; and if the application identifier for the application matches the application identifier used to mark the encrypted data, retrieving and decrypting the encrypted data for the application, the encrypted data being retrieved via a network from a first data storage and decrypted using one or more security keys stored in a second data storage that is separate from the first data storage, the encrypted data being retrieved in response to a user of the device authenticating with a service associated with the first data storage, and the one or more security keys received in response to a separate authentication transaction associated with the second data storage. 9. The method as described in claim 8 , wherein said encrypted data comprises encrypted user credentials that, when decrypted, enable access to one or more resources associated with the user of the device. 10. The method as described in claim 8 , wherein said ascertaining comprises querying an operating system of the device for the application identifier for the application. 11. The method as described in claim 8 , wherein said request for encrypted data is received as part of a synchronization operation between the device and the first data storage. 12. The method as described in claim 8 , further comprising, if the application identifier for the application does not match the application identifier used to mark the encrypted data, denying the application access to the encrypted data. 13. The method as described in claim 8 , further comprising: receiving an indication that a previously trusted status of the device has been revoked; responsive to receiving said indication, preventing the device from receiving one or more additional security keys; and responsive to receiving said indication, re-encrypting the encrypted data using a new security key that is different than a previously stored security key stored at the device to prevent the device from decrypting the encrypted data with the previously stored security key. 14. The method as described in claim 8 , wherein one or more of the first data storage or the second data storage are implemented as part of a cloud computing system. 15. A system comprising: one or more processors; and one or more computer-readable hardware storage media storing computer-executable instructions which are executable by the one or more processors to cause the system to perform operations including: receiving, at a computing device and via a network, encrypted data from a first data storage that is separate from a second data storage that stores security keys, the encrypted data being received in response to a user of the computing device logging on to a user account associated with the first data storage, the security keys being that are usable to: decrypt data that is stored in the first data storage; and encrypt data that is to be stored in the first data storage; receiving, along with the encrypted data, a request to decrypt the encrypted data; receiving via the network one or more of the security keys from the second data storage in response to a separate authentication procedure that enables access to the second data storage; encrypting user data from the computing device using an encryption key from the one or more security keys received from the second data storage to generate encrypted user data; marking the encrypted user data with a first application identifier associated with an application that resides on the comp