We all know non-public data on the cloud servers should be encrypted. What if data has to be processed right on the servers? Data processing programs need to know about the encryption key, however, we must only hand over the key to programs that we can trust. Trusted programs are those we can build from source, that means that we can embed one-time-use secrets to them. Every time when we want to run a program on server, a different executable copy with different secrets is uploaded to server, and server should launch it as soon as possible. The running program has to answer questions correctly, and shortly (to protect against secrets being reverse engineered), before we can send over the data access key. A trusted program must keep the key only in memory, never write the key to disk, and should hide or destroy the key after use. If it's restarted, it will have to ask for the key again, then we will know something is wrong. Open source programs are easier to be reverse engineered, therefore we must add secrets to it in an obfuscated way to make sure secrets can not be revealed by an attacker in a short time. Depending on security measures, the access key must be invalidated or the data should be removed after a certain period.