Patent attributes
A cryptographic key of a first instance of a group of one or more cloud nodes providing a service is managed. A request to share the cryptographic key with a second instance of a different group of one or more cloud nodes is received. A determination is made whether the second instance is allowed to access the cryptographic key. In response to a determination that the second instance is allowed to access the cryptographic key, the cryptographic key is encrypted with a target key of the second instance and the encrypted cryptographic key is signed using a cryptographic signature of the first instance. The signed encrypted cryptographic key is provided to the second instance.