In one embodiment, an application executing on a host node allocates a memory address of a remote node. The application selects, based at least in part on device capability information for the host and remote nodes, one of the host node or the remote node to encrypt application data, and configures the selected node to encrypt the application data based on a key and a pointer to the memory address of the remote node.