Embodiments relate to a host encrypting network communications of virtual machines (VMs) in ways that minimize exposure of the network communications in cleartext form. The host captures and registers a measure of a secure state of the host. The measure is registered with a guardian service communicable via a network. The guardian service also securely stores keys of the VMs. Each VM's key is associated with authorization information indicating which machines are authorized to obtain the corresponding VM's key. The host obtains access to a VM's key based on a confirmation that its state matches the registered measured state and based on the authorization information of the VM indicating that the host is authorized to access the key. The VM's key is then used to transparently encrypt/decrypt network communications of the VM as they pass through a virtualization layer on the host that executes the VMs.