Protection scheme for remotely-stored data

What is claimed: 1. At least one device, comprising: processing circuitry; and memory circuitry including at least one unsecured region into which the processing circuitry is to load a plurality of virtual machines to process data in the at least one device; and a trusted execution environment including at least an encryption service authenticated by the trusted execution environment, wherein the encryption service is to encrypt or decrypt data provided to the encryption service from the plurality of virtual machines using an encryption key generated specifically for each of the one or more virtual machines, the encryption keys being stored in an encrypted format decryptable by the authenticated encryption service: wherein the plurality of virtual machine each comprise an encryption agent to provide decrypted or encrypted data to the encryption service, receive decrypted or encrypted data from the encryption service and cause the at least one device to transmit encrypted data to, or receive encrypted data from, a remote resource; and wherein the encryption service is further to register each encryption agent prior to accepting data for encryption or decryption from the plurality of virtual machines. 2. The at least one device of claim 1 , wherein the encryption service comprises at least an encryption interface and a decryption interface to interact with the encryption agent. 3. The at least one device of claim 1 , wherein the trusted execution environment further comprises encryption keys corresponding to each of the plurality of virtual machines, the encryption keys being generated by the encryption service when each encryption agent is registered. 4. The at least one device of claim 3 , wherein the trusted execution environment is based on secure enclave technology to protect at least the encryption service and encryption keys. 5. The at least one device of claim 3 , wherein the encryption service is to use the encryption keys to encrypt or decrypt the data provided by the encryption agents. 6. The at least one device of claim 1 , further comprising communication circuitry to transmit encrypted data to, and receive encrypted data from, the remote resource comprising a plurality of networked computing devices accessible via at least a wide-area network, the plurality of networked computing devices comprising at least memory circuitry to store encrypted data. 7. The at least one device of claim 1 , wherein the at least one device comprises a plurality of networked computing devices accessible via at least a wide-area network, the plurality of network computing devices further comprising at least the memory circuitry to store encrypted data. 8. The at least one device of claim 1 , wherein each of the plurality of virtual machines comprises a separate trusted execution environment including at least an encryption service. 9. A method, comprising: receiving requests in an encryption service authenticated by and executing within a trusted execution environment in at least one device to register encryption agents in each of a plurality of virtual machines loaded into at least one unsecured region in memory circuitry in the at least one device; determining whether to register the encryption agents based at least on information provided in the requests; if it is determined that the encryption agents should be registered, registering the encryption agents in the encryption service; receiving, at the encryption service, data from at least one encryption agent in the plurality of encryption agents; determining if the at least one encryption agent is registered; if the at least one encryption agent is determined to be registered: decrypting a key corresponding to the virtual machine in which the at least one encryption agent is executing, the key being decrypted by the authenticated encryption service; encrypting or decrypting the received data in the encryption service using the key; and providing the encrypted or decrypted data to the at least one encryption agent. 10. The method of claim 9 , further comprising: initiating the trusted execution environment in at least one device; and initiating the encryption service within the trusted execution environment. 11. The method of claim 9 , further comprising: generating encryption keys corresponding to each of the plurality of virtual machines in the trusted execution environment based on the registering of each encryption agent. 12. The method of claim 11 , wherein the trusted execution environment is based on secure enclave technology to protect at least the encryption service and encryption keys. 13. The method of claim 11 , further comprising: if the at least one encryption agent is determined to be registered, encrypting or decrypting the received data using the corresponding encryption key. 14. At least one non-transitory machine-readable storage medium having stored thereon, individually or in combination, instructions that when executed by one or more processors result in the following operations comprising: receiving requests in an encryption service authenticated by and executing within a trusted execution environment in at least one device to register encryption agents in each of a plurality of virtual machines loaded into at least one unsecured region in memory circuitry in the at least one device; determining whether to register the encryption agents based at least on information provided in the requests; if it is determined that the encryption agents should be registered, registering the encryption agents in the encryption service; receiving, at the encryption service, data from at least one encryption agent in the plurality of encryption agents; determining if the at least one encryption agent is registered; if the at least one encryption agent is determined to be registered: decrypting a key corresponding to the virtual machine in which the at least one encryption agent is executing, the key being decrypted by the authenticated encryption service; encrypting or decrypting the received data in the encryption service using the key; and providing the encrypted or decrypted data to the at least one encryption agent. 15. The medium of claim 14 , further comprising instructions that when executed by one or more processors result in the following operations comprising: initiating the trusted execution environment in at least one device; and initiating the encryption service within the trusted execution environment. 16. The medium of claim 14 , further comprising instructions that when executed by one or more processors result in the following operations comprising: generating encryption keys corresponding to each of the plurality of virtual machines in the trusted execution environment based on the registering of each encryption agent. 17. The medium of claim 16 , wherein the trusted execution environment is based on secure enclave technology to protect at least the encryption service and encryption keys. 18. The medium of claim 14 , further comprising instructions that when executed by one or more processors result in the following operations comprising: if the at least one encryption agent is determined to be registered, encrypting or decrypting the received data using the corresponding encryption key.