Inferensys

Glossary

Sealing

A TEE-specific cryptographic operation that encrypts data and binds it to the unique identity of the enclave and platform that generated it, ensuring decryption is possible only by the exact same enclave on the exact same hardware.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
DATA BINDING

What is Sealing?

A cryptographic operation that binds encrypted data to a specific enclave identity and platform, ensuring it can only be decrypted by the exact same application on the exact same hardware.

Sealing is a TEE-specific operation that encrypts data and cryptographically binds it to the enclave identity (MRENCLAVE) and the platform identity (MRSIGNER) that generated it. This process ensures the data can only be decrypted by the exact same enclave binary on the exact same hardware, preventing an attacker who has extracted the raw ciphertext from reading it on a different machine or within a modified enclave.

Sealing is fundamental to stateful confidential computing, allowing enclaves to securely persist secrets to untrusted storage. Intel SGX supports sealing to the enclave identity for strict software binding, or to the sealing authority for allowing data migration across versions signed by the same author. This mechanism protects data-at-rest for TEE workloads without requiring an external key management service.

Data Binding in Trusted Execution

Core Properties of Sealing

Sealing is a fundamental TEE primitive that cryptographically binds data to a specific enclave identity, ensuring decryption is only possible within the exact same environment that created it.

01

Enclave Identity Binding

Sealing encrypts data such that it can only be decrypted by the exact same enclave on the exact same hardware. The encryption key is derived from the enclave's unique identity (MRENCLAVE) and the platform's hardware root of trust. This prevents data from being read by:

  • A different enclave on the same machine
  • The same enclave code running on different hardware
  • The host operating system or hypervisor
  • Any process outside the TEE boundary
CPU-Bound
Key Derivation Source
02

Seal Key Derivation

The seal key is derived from a combination of enclave identity and platform-specific fused keys burned into the CPU during manufacturing. Intel SGX uses the EGETKEY instruction with the following inputs:

  • MRENCLAVE: A cryptographic hash of the enclave's code and initial state
  • MRSIGNER: The identity of the enclave author (for sealing to a signing authority)
  • Key Policy: Specifies whether the key is bound to MRENCLAVE or MRSIGNER
  • Attribute Masks: Security-relevant CPU features that must match for decryption

This ensures the derived key is deterministic within the enclave but cryptographically inaccessible from outside.

AES-GCM
Encryption Algorithm
03

Sealing Policies

TEE platforms support two primary sealing policies that determine the scope of data accessibility:

MRENCLAVE Policy (Enclave Identity)

  • Binds data to the exact enclave binary
  • Any code change invalidates the seal key
  • Highest security, lowest flexibility

MRSIGNER Policy (Signing Identity)

  • Binds data to the enclave author's signing key
  • Allows versioned updates to decrypt legacy data
  • Enables data migration across enclave versions
  • Requires trust in the signing authority

AMD SEV implements similar concepts through Launch Secret injection tied to attestation measurements.

2
Policy Types
04

Monotonic Counters & Anti-Rollback

Sealing integrates with hardware monotonic counters to prevent rollback attacks where an attacker restores an old sealed data blob to bypass security updates. The mechanism works as follows:

  • The enclave requests a counter value from the platform
  • The counter is incremented and bound to the sealed blob
  • On unsealing, the enclave verifies the counter matches or exceeds the expected value
  • Hardware guarantees the counter can never decrease

This prevents an attacker with disk access from substituting a previously valid sealed blob after a security patch has been applied.

Hardware
Counter Guarantee
05

Sealing in Confidential AI Pipelines

In production ML deployments, sealing protects sensitive artifacts across the model lifecycle:

  • Model Weights at Rest: Proprietary model weights are sealed to the inference enclave, making them unreadable even if the storage volume is compromised
  • Training Data Caching: Intermediate training states are sealed to prevent data leakage during distributed training
  • API Key Storage: Third-party API credentials are sealed rather than stored in environment variables
  • Attestation Token Caching: Signed attestation reports are sealed to avoid repeated attestation handshakes

The sealed data is opaque ciphertext outside the TEE, providing defense-in-depth even if the host OS is fully compromised.

Opaque
Ciphertext Property
CRYPTOGRAPHIC BINDING COMPARISON

Sealing vs. Standard Encryption

A comparison of TEE-specific sealing operations against conventional encryption methods, highlighting the critical differences in key management, identity binding, and threat models.

FeatureTEE SealingStandard EncryptionHSM-Backed Encryption

Key Binding Target

Specific enclave identity + platform

Application or user identity

Physical HSM device identity

Decryption Scope

Only the exact same enclave on the same hardware

Any entity possessing the key

Any application with authorized HSM access

Protects Against Host OS Compromise

Protects Against Physical Memory Attacks

Requires Remote Attestation for Key Release

Key Portability Across Machines

Typical Latency Overhead

< 1 ms

< 0.1 ms

1-5 ms

Granularity of Binding

Process + code identity + platform

User or service account

Physical device

CRYPTOGRAPHIC DATA BINDING

Frequently Asked Questions

Explore the mechanics of sealing in Trusted Execution Environments, a critical operation for binding encrypted data to a specific enclave's identity and platform state.

Sealing is a Trusted Execution Environment (TEE)-specific cryptographic operation that encrypts data and binds it to the exact identity of the enclave and the platform that generated it. Unlike standard encryption, which relies solely on a key, sealing derives an encryption key from the enclave's unique measurement and the platform's hardware root of trust. This ensures the resulting ciphertext can only be decrypted by the exact same enclave code running on the exact same hardware. The process typically involves the CPU fetching a seal key from a hardware fuse or deriving it from a Hardware Root of Trust, then combining it with the enclave's identity (its MRENCLAVE or MRSIGNER value) to create a binding key. This guarantees data-in-use protection persists even when data is written to disk, as the decryption key is never exposed to the host OS, hypervisor, or any other enclave.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.