The technology disclosed herein provides network bound encryption that enables a node management device to orchestrate workloads with encrypted data without sharing the decryption key. An example method may include: obtaining an asymmetric key pair comprising a public asymmetric key and a private asymmetric key; establishing a symmetric key using a key establishment service, wherein the symmetric key is established in view of the private asymmetric key of a first computing device and a public asymmetric key of the key establishment service; transmitting sensitive data encrypted using the symmetric key to a persistent storage device accessible to a second computing device; initiating a creation of an execution environment on the second computing device; and providing, by the first computing device, the public asymmetric key and the location data to the second computing device, wherein the location data corresponds to the key establishment service.