This disclosure is directed to cryptographic protection for trusted operating systems. In general, a device may comprise for example, at least processing circuitry and memory circuitry. The device may be virtualized in that the processing circuitry may load virtual machines (VMs) and a virtual machine manager (VMM) into the memory circuitry during operation. At least one of the VMs may operate as a trusted execution environment (TEE) including a trusted operating system (TOS). The processing circuitry may comprise encryption circuitry to cryptographically protect the TOS. For example, the VMM may determine a first memory range in which the TOS will be loaded and store data regarding the first memory range in a register within the encryption circuitry. The register configures the encryption circuitry to cryptographically protect the TOS.