A method includes, with a computing system, exiting a context of a virtual machine, the exiting in response to a request from a guest operating system of the virtual machine to switch from a first encryption key identifier for the virtual machine to a second encryption key identifier for the virtual machine. The method further includes, with the computing system, loading the second encryption key identifier into a virtual machine control module of a virtual processor of the virtual machine and after loading the second encryption key identifier, entering the context of the virtual machine.