A computing device includes: a trusted execution environment with access to a memory storing a deletable root key, the memory inaccessible by a second execution environment; and at least one processor operable in the trusted execution environment, wherein when operating in the trusted execution environment, the at least one processor is configured for: based on requests from the second execution environment, performing a root key operation on an encryption key utilized by the second execution environment to secure data the second execution environment; and deleting the root key upon detection of a security event.