Inferensys

Glossary

Data Sealing

A mechanism that cryptographically binds data to a specific enclave's identity and security version, allowing the enclave to securely persist secrets to untrusted storage and retrieve them only on the same platform.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
CRYPTOGRAPHIC PERSISTENCE

What is Data Sealing?

Data sealing is a mechanism that cryptographically binds data to a specific enclave's identity and security version, allowing the enclave to securely persist secrets to untrusted storage and retrieve them only on the same platform.

Data sealing is a hardware-enforced cryptographic operation that encrypts data using a key derived from the enclave's unique identity and the platform's Trusted Computing Base (TCB) security version. This ensures the sealed data can only be decrypted by the exact same enclave on the same physical processor, preventing access by malicious software, other enclaves, or even the same enclave running on a compromised platform with a downgraded security patch level.

The process typically involves an EGETKEY instruction that derives a sealing key from the processor's Hardware Root of Trust and the enclave's MRENCLAVE or MRSIGNER identity. This allows an enclave to securely write sensitive state—such as model weights or cryptographic keys—to untrusted external storage, guaranteeing confidentiality and integrity upon retrieval, as any tampering or platform rollback will produce an incorrect key and fail decryption.

CRYPTOGRAPHIC PERSISTENCE

Key Properties of Data Sealing

Data sealing is a critical mechanism that allows a Trusted Execution Environment (TEE) to securely persist secrets to untrusted external storage. It cryptographically binds data to a specific enclave's identity and security version, ensuring it can only be decrypted by the exact same application on the exact same platform.

01

Identity Binding

Data sealing cryptographically binds plaintext to the enclave's unique identity. The sealing key is derived from the MRENCLAVE (a hash of the enclave's code) or MRSIGNER (the author's signing key). This ensures that only an enclave running the exact same code, or code from the same trusted author, can unseal the data. This prevents a malicious or modified enclave from accessing persisted secrets.

MRENCLAVE
Code Identity Binding
MRSIGNER
Author Identity Binding
02

Authenticated Encryption

The sealing process uses Authenticated Encryption with Associated Data (AEAD), typically AES-GCM. This provides both confidentiality and integrity. Any tampering with the sealed data blob on the untrusted storage will be detected immediately upon unsealing, causing a decryption failure. This guarantees that the enclave never processes corrupted or maliciously modified state.

AES-GCM
Standard Cipher
03

Platform & Security Version Binding

Sealing policies can bind data to a specific Security Version Number (SVN) or CPUSVN of the platform's firmware and hardware. If a vulnerability is patched and the security version is incremented, an enclave can be configured to refuse to unseal data that was sealed on a vulnerable, older version. This prevents a rollback attack where an attacker downgrades the platform to exploit a known flaw.

04

Monotonic Counters for Replay Protection

To prevent an attacker from replacing the latest sealed data with a valid but older version (a replay attack), sealing can be bound to a hardware monotonic counter. The enclave increments the counter on each write and verifies it on read. If the counter in the sealed blob doesn't match the hardware's current counter value, the data is rejected, ensuring only the most recent state is restored.

05

Sealing to a Specific Enclave vs. Signing Identity

Two primary sealing policies exist:

  • Sealing to the Enclave Identity (MRENCLAVE): Only the exact same enclave binary can unseal the data. Any code change breaks access.
  • Sealing to the Signing Identity (MRSIGNER): Any enclave signed by the same developer key can unseal the data. This allows for seamless data migration between application versions from the same vendor.
06

Secure State Persistence

The primary use case for data sealing is maintaining a trusted state across power cycles. An enclave can seal its internal state (e.g., database encryption keys, user credentials, or a blockchain wallet) to the local disk. On restart, the enclave attests itself to a local or remote verifier, unseals its state, and resumes secure operation without human intervention to re-inject secrets.

DATA SEALING EXPLAINED

Frequently Asked Questions

Clear answers to the most common questions about how enclaves cryptographically bind sensitive data to a specific platform identity for secure persistence on untrusted storage.

Data sealing is a cryptographic mechanism that binds sensitive data to a specific enclave's identity and security version, allowing the enclave to securely persist secrets to untrusted storage and retrieve them only on the same platform. The process works by deriving a sealing key from the enclave's unique measurement (such as MRENCLAVE in Intel SGX) and the processor's hardware root of trust. When an enclave wants to store data, it encrypts the plaintext using this platform-specific key, producing a sealed blob that can be safely written to disk or a database. Upon retrieval, the enclave requests the processor to unseal the blob; the hardware verifies that the requesting enclave matches the identity bound to the ciphertext before decrypting it. This ensures that even if an attacker gains full access to the storage medium, they cannot decrypt the sealed data without running the exact authorized enclave on the original hardware.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.