An apparatus comprises a hardware processor to define a linear address (LA) region outside an established address range for a secure enclave, generate, for the linear address (LA) region, a unique encryption key accessible only to the enclave, assign a key identifier to the unique encryption key, store the linear address (LA) region and the unique encryption key in an enclave control structure, and program the key identifier and the unique encryption key into a memory encryption circuitry.