An escrow platform is described that can be used to enable access to devices. The escrow platform can be used to sign cryptographic network protocol challenges on behalf of clients so that the secrets used to sign cryptographic network protocol challenges do not have to be exposed to the clients. The escrow platform can store or control access to private keys, and the corresponding public keys can be stored on respective target platforms. A client can attempt to access a target platform and in response the target platform can issue a challenge. The client platform can send the challenge to the escrow platform, which can use the corresponding private key to sign the challenge. The signed challenge can be sent back to the client, which can forward it to the target platform. The target platform can verify the expected private key and grant access.