Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1493 Discussions

Does SGX have Non Volatile Storage

samad__abdu
Beginner
‎12-04-2018 05:09 PM
2,579 Views

Can i store secret keys persistently in SGX enclave or SGX memory.

0 Kudos

Link Copied

3 Replies
Scott_R_Intel
Moderator
‎12-06-2018 10:46 AM
2,579 Views

Hi Abdu.

You can seal/encrypt keys/other data inside an enclave and then save the encrypted blob to disk.  By default, the sealed data will only be accessible by the enclave that created the encrypted blob.  You can read a brief introduction about this here:  https://software.intel.com/en-us/blogs/2016/05/04/introduction-to-intel-sgx-sealing

Regards.

Scott

0 Kudos
Copy link
samad__abdu
Beginner
‎12-12-2018 08:29 AM
2,579 Views

thank you Scott 

so if i seal the keys inside enclave and save it as a sealed blob to disk.
will this assure me that the key will not be readable/accessible to any other cpu/sgx-system, In case if some one take the saved blob to different machine.
does this technique guarantee me in meeting the protection level that i have to give, for storing keys like HDCP. 
  

Regards

Abdusamad

 

0 Kudos
Copy link
Scott_R_Intel
Moderator
‎12-12-2018 08:48 AM
2,579 Views

Hi again Abdusamad.

That is correct, the seal key used by your enclave is, by default, only available to your enclave on that particular CPU.  No other enclave running on that same CPU, nor your enclave running on another CPU, would have access to that same seal key and therefore be able to decrypt your data.

Yes, it can be used to give you that level of security.  But, you need to be aware that because of that level of security, if you seal data with the seal key, and something happens to that CPU (the user's system dies, etc.), then even if you have access to the sealed data, you would never be able to decrypt it again.  If you're ok with that, meaning you could re-supply the encrypted data to the user in some fashion, then this will work for you.

But, as an FYI, the way the sealed key is generally used is to seal server provided/provisioned keys, after your enclave has gone through the SGX remote attestation (RA) process.  This way, if something happened to that platform, the data could still be decrypted on another platform after that platform went through SGX RA and the encryption/decryption keys were re-provisioned from the server. For more information about SGX RA, including a working code sample, please see this link:

https://software.intel.com/en-us/articles/code-sample-intel-software-guard-extensions-remote-attestation-end-to-end-example

Regards.

Scott

0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.