Inferensys

Glossary

Enclave Sealing

A mechanism that allows a Trusted Execution Environment to encrypt data for persistent storage, binding it to a specific enclave identity so it can only be decrypted by the same application on the same platform.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
CRYPTOGRAPHIC STATE PERSISTENCE

What is Enclave Sealing?

Enclave sealing is a cryptographic mechanism that allows a Trusted Execution Environment (TEE) to encrypt data for persistent storage, cryptographically binding it to a specific enclave identity so it can only be decrypted by the exact same application on the same platform.

Enclave sealing is the process by which an enclave derives a unique, platform-specific encryption key from its enclave identity (the MRENCLAVE or MRSIGNER measurement) and a fused hardware root key. This Seal Key encrypts application state before it leaves the TEE boundary, ensuring that data written to untrusted storage is cryptographically opaque to the host operating system, hypervisor, or any other process. The binding guarantees that sealed data can only be unsealed by an enclave possessing the identical code identity and running on the same physical CPU package.

Two primary sealing policies exist: Sealing to the Enclave Identity (MRENCLAVE), which binds data to the exact version of a specific enclave binary, and Sealing to the Signing Identity (MRSIGNER), which allows different versions of an enclave signed by the same authority to access the sealed data. This mechanism is fundamental for maintaining state across power cycles in confidential computing, enabling secure key storage, persistent ledger updates, and protected model checkpointing without exposing secrets to the underlying infrastructure.

CRYPTOGRAPHIC PERSISTENCE

Core Properties of Enclave Sealing

Enclave sealing is the mechanism that allows a Trusted Execution Environment (TEE) to securely persist data to untrusted storage. It cryptographically binds encrypted data to a specific enclave identity, ensuring it can only be decrypted by the exact same application on the exact same platform.

01

Identity Binding

Sealing cryptographically binds data to the enclave identity (MRENCLAVE) or the sealing authority (MRSIGNER).

  • MRENCLAVE (Enclave Identity): Binds to the exact hash of the enclave's code and initial state. Any code change makes the data permanently inaccessible.
  • MRSIGNER (Sealing Authority): Binds to the developer's signing key. Allows different versions of the same application to share sealed data.

This ensures that even if an attacker gains root access to the host operating system and copies the sealed data blob, they cannot decrypt it without running inside the original enclave.

MRENCLAVE
Strictest Binding
MRSIGNER
Version-Tolerant Binding
02

Sealing Key Derivation

The sealing key is not stored on disk. It is derived on-the-fly by the TEE hardware using a fused, platform-unique root key and the enclave's measurement.

  • The CPU combines a hardware-embedded root key (fused at manufacture) with the enclave's cryptographic identity.
  • This derived key is only accessible to the enclave during execution.
  • On Intel SGX, this is the Enclave Key Hierarchy; on AMD SEV, it leverages the Platform Diffie-Hellman key.

The result is a symmetric key that exists only within the CPU package and is never exposed to RAM, the OS, or the hypervisor.

03

Anti-Rollback Protection

Sealing integrates with monotonic counters and versioning to prevent an attacker from restoring an old, vulnerable version of sealed data.

  • The TEE maintains a hardware-backed counter that only increments.
  • When sealing data, the current counter value is embedded in the sealed blob.
  • On unsealing, the enclave verifies the counter hasn't been tampered with.

This defeats rollback attacks where an adversary with physical access replaces the latest sealed state with a previous one to exploit a patched vulnerability.

04

Platform vs. Migration Sealing

Sealing policies define the scope of where data can be decrypted.

  • Platform Sealing: Binds data to a specific physical CPU. The sealed blob cannot be decrypted on any other machine, even with identical enclave code. Ideal for node-specific credentials.
  • Migration Sealing: Allows data to be transferred between trusted platforms in a cluster. Requires a migration authority to re-wrap the sealed data for the target platform's TEE.

This distinction is critical for designing stateful, fault-tolerant confidential services that must survive hardware failures.

05

Sealed Data Format

The output of a seal operation is an opaque, authenticated ciphertext blob with a defined structure.

  • Payload: The original plaintext encrypted with AES-GCM.
  • Key Blob: The sealing key itself, encrypted with the CPU's hardware key.
  • Enclave Identity: The MRENCLAVE or MRSIGNER value required for decryption.
  • Policy Flags: Attributes like anti-rollback version and migration permissions.
  • MAC Tag: An authentication tag over the entire structure to detect tampering.

Any modification to the sealed blob—even a single bit—will cause the unseal operation to fail cryptographically.

06

Use Cases in AI Infrastructure

Enclave sealing is foundational for stateful confidential AI workloads.

  • Model Weight Persistence: Encrypt fine-tuned model weights to disk so they survive enclave restarts without exposing proprietary IP to the host.
  • Secure Checkpointing: Save training state periodically in long-running confidential training jobs.
  • Local Secret Storage: Store API keys and database credentials that the enclave needs across reboots, avoiding external key management dependencies.
  • Confidential Ledgers: Maintain an append-only, tamper-evident log where each entry is sealed to the auditing enclave.
ENCLAVE SEALING EXPLAINED

Frequently Asked Questions

Enclave sealing is the cryptographic mechanism that allows a Trusted Execution Environment to persist data securely. It binds encrypted data to a specific enclave identity, ensuring it can only be decrypted by the exact same application on the exact same platform.

Enclave sealing is a cryptographic persistence mechanism that allows a Trusted Execution Environment (TEE) to encrypt data for storage outside the enclave's volatile memory. The process works by deriving a sealing key from the enclave's unique identity and the platform's hardware root of trust. When an enclave calls a sealing instruction (such as EGETKEY in Intel SGX), the CPU's memory encryption engine generates a key cryptographically bound to the enclave measurement (MRENCLAVE) and, optionally, the signing identity (MRSIGNER) . This sealed blob can be written to untrusted storage, but only the identical enclave on the identical platform can derive the same key to decrypt it, guaranteeing confidentiality and integrity even against a compromised operating system.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.