Patent attributes
Managing private key access in multiple nodes is described. A piece of data (e.g., a private key) is encrypted using identity-based broadcast encryption and identity-based revocation encryption so that only certain servers in a distributed network of servers can decrypt the piece of data. The piece of data is encrypted with a key encryption key (KEK). The KEK is split into two pieces. The first piece is encrypted using identity-based broadcast encryption with an identified location as input such that only servers of the identified location can decrypt the first piece, and the second piece is encrypted using identity-based revocation encryption so that certain identified servers of the identified location cannot decrypt cannot decrypt the second piece. The keys are transmitted to the servers.