SGX Sealing

Sealing is a technique of saving sensitive information to the untrusted disk. The data is encrypted and can only be decrypted by the same enclave that sealed it. The enclave is any software that operates in a trusted execution environment (TEE).

When sealing data on the disk with SGX, the enclave is encrypting it with its own unique key that the processor creates by combining the enclave's measurement and the processor's own root key. The key is unique to the enclave and the processor, so the data can only be decrypted by the same enclave running on the same processor.

Check the following code example that demonstrates how to seal and unseal data using the enclave.

[dependencies]
detee-sgx = { git = "https://gitea.detee.cloud/general/detee-sgx", features = ["sealing"] }

// Sealing
detee_sgx::SealingConfig::new()?.seal_data(vec![1, 2, 3, 4])?;
std::fs::write(path, sealed).map_err(Into::into)
// Un-sealing
let sealed = std::fs::read(path)?;
let serialized = detee_sgx::SealingConfig::new()?.un_seal_data(sealed)?;

This example relies on the utils_lib, that is present inside the docker image that we provision, detee/occlum:0.30.1-ubuntu20.04. This library uses the /dev/sgx device in runtime through IOCTL to interact with Occlum runtime to ask the processor to generate the sealing key for the enclave.

Use-cases for sealing

Sealing is useful when you want to save sensitive data to the disk so that it persists between software restarts, but you don't want anybody except for your software to be able to read it or tamper with it. For example, you can use sealing to save the wallet key to the disk, or the database encryption key.

The only limitation is the performance of sealing big files. Since the sealing process is simplified in the detee-sgx it works best for small files so we recommend when sealing a lot of data to use the native tools, present for your database or software and instead sealing only the encryption key.