In operation, the key management system 730 may be hosted on a network server with the applications 740A to 740Z. The application may request to perform an operation on a cryptographic item stored in the secure enclave of the key management system 730. Upon receiving the required number of approvals to perform the operation, the operation may be performed on the cryptographic item. The processing device 710 may use an instruction to use one of its internal cryptographic keys 711 that is based on the identification of the key management system 730 to perform the operation on the cryptographic item stored in the memory of the secure enclave of the key management system 730. For example, the cryptographic item may be decrypted when read from the storage 751 or memory 752 associated with the processing device 710 or at another storage resource over a network 750 (e.g., at a storage device of the storage resource) and exported to the application. Although FIG. 7 illustrates that the key management system 730 may provide secure cryptographic item management for an application 740A to 740Z on the same network server, the key management system 730 may alternatively be hosted by another network server or may be hosted by another network server that is external to any data center or network cluster that includes the network servers hosting applications 740A to 740Z.