Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.

Data is not encrypted in Enclave


Hello, I'm Tae Un Kang.


I save data in Enclave. But, data is shown by Cheating Tool(Ex. CheatEngine)


I think data is not encrypted.


If I want to encrypt data in enclave, I have to use Release mode?

(I tested Pre-release mode)


Can I use release mode in free?(Ex. Research purpose or education license) 



0 Kudos
3 Replies

Enclave Signing Key Management:
2-step method using an external signing tool:
First step: At the end of the enclave build process, the signing tool generates the enclave signing material. The ISV takes the enclave signing material file to an external signing platform/facility where the private key is stored, signs the signing material file, and takes the resulting signature file back to the build platform.

Second step: The ISV runs the signing tool with the catsig command providing the necessary information at the command line to add the hash of the public key and signature to the enclave’s metadata section.

The 2-step signing process protects the signing key in a separate facility. Thus it is the default signing method for the Intel SGX project release profile. This means it is the only method for signing production enclave applications.

Enclave Signing Example:
Two-step signing process:
Signing an enclave using a private key stored in an HSM, for instance:
1. Generate the enclave signing material.
sgx_sign gendata -enclave -config config.xml -out enclave_hash.hex

2. At the signing facility, sign the file containing the enclave signing material (enclave_hash.hex) and take the resulting signature file (signature.hex) back to the build platform.

3. Sign the enclave using the signature file and public key.
sgx_sign catsig -enclave -config config.xml -out -key public.pem -sig signature.hex -unsigned enclave_hash.hex

Currently the evaluation SDK allows the developer to create and run enclaves using the Debug and Pre-release profiles. Enclaves compiled under the Release profile will not work until the developer completes the production licensing process. If you would like to deliver a production-quality application using SGX, please contact the SGX Program<> for more information about a production license.

For more info , please refer to this thread.




New Contributor III


there is no education license for enclave development. On the other hand, the SGX commercial license is free of charge. You just have to follow the steps pointed out by Shivananda.

Could you please clarify how did you save data in the enclave?

Best regards,



I compiled pre-release mode. and I generate enclave.cpp in enclave area.

I checked not encrypted data in memory by using cheat-engine(memory manipulation tool)



void enclaveInFunction(char *buf, size_t len)
   if (len <= (size_t)MAX_BUF_LEN) {
   memcpy(enclaveString, buf, strlen(buf) + 1);
   printf("enclaveString addr: %p\n", enclaveString);
   printf("Enclave.cpp/buf: %p\n", buf);


I have a question. I followed Shivananda's comment.

I completed signing enclave.

But I get a error_code[sgx_status_t value(0x4004)] in running application.

0x4004 means Enclave has no privilege to get launch token.

Is it a problem because there is no Commercial License?


Best regards,

Tae Un