Systems and methods for providing a trusted keystore are disclosed. In one embodiment, in an information processing apparatus comprising at least one computer processor, a method for providing a trusted keystore may include: (1) selecting and storing a root Keyblock Protection Key (KBPK) in a trusted domain; (2) for each key class: creating a keyblock with a class KBPK; and storing the keyblock in an untrusted keystore in an unfrosted domain; (3) loading keyblocks to a trusted key manager in the trusted domain; (4) decrypting the keyblocks with an encryption class key; (5) verifying the keyblocks under a MAC class key; (6) loading class keyblocks to the trusted key manager from the untrusted keystore; (7) writing the keyblocks to the untrusted keystore; and (8) writing class keyblock MACs in a hierarchy to the untrusted keystore. A number of levels in the hierarchy is based on an amount of available storage in the trusted domain.