A method, a computer system, and a computer program product may provide a cryptographic key object to a guest virtual server for use in cryptographic operations. The guest virtual server may register with a hypervisor. The hypervisor may generate a guest wrapping key associated with guest credentials from the registering. The hypervisor may also generate a satellite virtual server instance. The guest virtual server and the satellite virtual server instance share a master key that cannot be accessed by the hypervisor or by any guest virtual server. The trusted hypervisor may pass a copy of the guest wrapping key to the satellite virtual server instance. A random guest key may be generated and may be wrapped with a guest wrapping key thereby producing a wrapped guest key. The hypervisor may convert the wrapped guest key to be a protected key that serves as the cryptographic key object.