The technology disclosed herein provides network bound encryption that enables a trusted execution environment to persistently store and access recovery data without persistently storing the decryption key. An example method may include: establishing a trusted execution environment in a first computing device, the trusted execution environment comprising an encrypted memory area; loading cryptographic key data of a second computing device and executable code into the trusted execution environment; transmitting combined key data that is based on the cryptographic key data to a third computing device; deriving a cryptographic key from combined key data received from the third computing device, the received combined key data being based on the cryptographic key data of the second computing device and cryptographic key data of the third computing device; and causing the trusted execution environment to execute the executable code and use the cryptographic key to access sensitive data on a persistent storage device.