An apparatus includes one or more processor core, trusted key store, memory controller, and a memory module. The memory controller includes an encryption/decryption module that encrypts data being stored to the memory module for a guest OS being executed by the processor core(s) and that decrypts data being read from the memory module for the guest OS. Data owned by the guest OS is encrypted and decrypted by the encryption/decryption module using an encryption key stored by the trusted key store in association with the guest OS. A method encrypts data owned by the guest OS using the encryption key assigned to the guest OS and stores the encrypted data on a memory module, wherein the encrypted data is stored in association with the process identifier of the guest OS, and decrypts the encrypted data using the guest OS encryption key and provides the decrypted data to the guest OS.